NTLM authentication fails due to machine account password mismatch
Applies to
- ONTAP 9
- CIFS
- NTLM
Issue
- CIFS users are unable to access the CIFS shares due to NTLM authentication failures
- The CIFS server is unable to connect to the netlogon service on the DCs discovered
EMS / secd log example
Failure Summary:
Error: Ontap admin cifs authentication basic procedure failed
[ 0 ms] Login attempt by domain user 'cii_encrypt/RAuomQCHJ+wnzpX3orc4tFYcQXYY74mKV0hmDpgSabc=/cii_encrypt\pii_encrypt/RAuomQCHJ+wnzpX3orc4tCEmQxSUkOODm2hLrcXanLE=/pii_encrypt' using NTLMv2 style security
[ 275] Successfully connected to ip 10.11.12.11, port 445 using TCP
[ 1108] Successfully authenticated with DC dc1.domain.com
[ 4339] Unable to connect to NetLogon service on dc1.domain.com (Error: RESULT_ERROR_GENERAL_FAILURE)
[ 4538] Successfully connected to ip 10.200.138.228, port 445 using TCP
[ 5146] Successfully authenticated with DC dc2.domain.com
[ 7135] Unable to connect to NetLogon service on dc2.domain.com (Error: RESULT_ERROR_GENERAL_FAILURE)
[ 7416] Successfully connected to ip 10.188.0.34, port 445 using TCP
[ 8268] Successfully authenticated with DC dc3.domain.com
[ 11075] Unable to connect to NetLogon service on dc3.domain.com (Error: RESULT_ERROR_GENERAL_FAILURE)
**[ 11075] FAILURE: Unable to make a connection (NetLogon:DOMAIN.COM), result: 6942
[ 11075] Ontap-admin-login-cifs failed
[ 11075] Retry requested, but the retry window (7000 ms) has expired; giving up.
- Establishing the Netlogon secure channel fails
EMS / secd log example
Fri Oct 25 2024 15:29:18 +08:00 [kern_secd:info:9504] | [000.134.860] ERR : RESULT_ERROR_GENERAL_FAILURE:3 in NetrEstablishSecureChannel() at src/Actions/MsrpcServices.cpp:4465
Fri Oct 25 2024 15:29:18 +08:00 [kern_secd:info:9504] | [000.134.867] ERR : RESULT_ERROR_GENERAL_FAILURE:3 in ensureSChannelKeyEstablished() at src/connection_manager/secd_connection.cpp:338
Fri Oct 25 2024 15:29:18 +08:00 [kern_secd:info:9504] | [000.134.871] ERR : RESULT_ERROR_GENERAL_FAILURE:3 in connect() at src/connection_manager/secd_connection.cpp:1531
- Issue started since cifs password reset failed
Audit log example
vserver cifs security modify -vserver svm1 -is-aes-encryption-enabled true :: Error: Password update failed. Reason: SecD Error: no connections available