CIFS share inaccessible after enabling AES encryption on the SVM
Applies to
- ONTAP 9
- CIFS
- Advanced Encryption Standard (AES)
Issue
- CIFS share is inaccessible after enabling AES encryption for Kerberos-based communication by the below command
::> cifs server security modify -vserver <svm> -is-aes-encryption-enabled true
- AES-256 and AES-128 encryption types are not reflected in the CIFS server computer account
msDS-SupportedEncryptionTypes
properties
PS C:\Users\Administrator> Get-ADComputer cifs01 -Properties msDS-SupportedEncryptionTypes,KerberosEncryptionType
DistinguishedName : CN=CIFS,OU=NetAppSVM,DC=ntapp,DC=local
DNSHostName : CIFS01.NTAPP.LOCAL
Enabled : True
KerberosEncryptionType : {RC4}
msDS-SupportedEncryptionTypes : 6
Name : CIFS01
ObjectClass : computer
ObjectGUID : 76b04d1c-90da-4a64-be61-eeffd8ee83d3
SamAccountName : CIFS01$
SID : S-1-5-21-3246256033-3924162847-1802636329-1224
- The following error may be observed in EMS:
[node-01: secd: secd.kerberos.preauth:error]: Kerberos pre-authentication failure due to out-of-sync machine account password for vserver (SVM1).