Can AES encryption be enabled on a CIFS server?
Applies to
- ONTAP 9
- CIFS
- AES
Answer
|
WARNING The user ID used to run the command must have permission to modify encryption type and change password for computer object in AD, such as a Domain Admin |
- The SMB server supports the following encryption types for Kerberos communication:
- AES 256
- AES 128
- DES
- RC4-HMAC
- To enable AES for an SVM, use the below command:
Cluster1::> vserver cifs security modify -vserver <svm_name> -is-aes-encryption-enabled true
Example:
vserver cifs security modify -vserver VS1 -is-aes-encryption-enabled true
Info: In order to update the advertised encryption types, the password for the CIFS server machine account must be reset. Enter the username and password for the CIFS domain "DOMAIN.LOCAL".
Enter your user ID:
Note: AES should be enabled on the Domain controllers
Additional Information
- Resetting CIFS machine account password might cause CIFS access issues
- Is it possible to configure AES on an SVM before creating the CIFS server?
- CIFS password change fails silently leading to secd: secd.kerberos.preauth:error after Microsoft April 2022 Hotfixes
- vserver cifs security modify
- Configure strong security for Kerberos-based communication by using AES encryption
- Beginning with ONTAP 9.12.1, you can specify which encryption types to advertise to the Active Directory (AD) KDC. You can use the
-advertised-enc-typesoption to enable recommended encryption types, and you can use it to disable weaker encryption types. Learn how to enable and disable encryption types for Kerberos-based communication.