Can AES encryption be enabled on a CIFS server?
Applies to
- ONTAP 9
- CIFS
- AES
Answer
|
WARNING
|
- The SMB server supports the following encryption types for Kerberos communication:
- AES 256
- AES 128
- DES
- RC4-HMAC
- To enable AES for an SVM, use the below command:
Cluster1::> vserver cifs security modify -vserver <svm_name> -is-aes-encryption-enabled true
Example:
vserver cifs security modify -vserver VS1 -is-aes-encryption-enabled true
Info: In order to update the advertised encryption types, the password for the CIFS server machine account must be reset. Enter the username and password for the CIFS domain "DOMAIN.LOCAL".
Enter your user ID:
- Beginning with ONTAP 9.12.1, you can specify which encryption types to advertise to the Active Directory (AD) KDC. You can use the
-advertised-enc-typesoption to enable recommended encryption types, and you can use it to disable weaker encryption types. Learn how to enable and disable encryption types for Kerberos-based communication.Cluster1::> vserver cifs security modify -vserver <svm_name> -advertised-enc-types aes-128,aes-256
Additional Information
- Resetting CIFS machine account password might cause CIFS access issues
- Is it possible to configure AES on an SVM before creating the CIFS server?
- CIFS password change fails silently leading to secd: secd.kerberos.preauth:error after Microsoft April 2022 Hotfixes
- vserver cifs security modify
- Configure strong security for Kerberos-based communication by using AES encryption
