Skip to main content
NetApp Knowledge Base

Clients using NTLM when Kerberos is expected in ONTAP

Views:
6,353
Visibility:
Public
Votes:
1
Category:
ontap-9
Specialty:
nas
Last Updated:

Applies to

  • ONTAP 9 (all versions)
  • CIFS / SMB
  • Windows Active Directory with Kerberos authentication
  • AFF / FAS systems

Issue

Clients are using authentication style NTLM when Kerberos is expected. This includes the following scenarios:

  • A client-side packet trace shows KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN
  • Windows clients receive access failures after Group Policy Object (GPO) is configured to block NTLM and enforce Kerberos authentication
  • klist on the Windows client shows no Kerberos ticket is obtained for the CIFS server
  • Event Viewer logs NTLM fallback blocked or Kerberos negotiation failure events for the NetApp CIFS server
  • Network drive mappings continue failing even after SPN-related GPO changes are applied

Cause

When a client reaches out to the Key Distribution Center (KDC) and requests a ticket for a service, the KDC searches for a matching hostname, IPv4, or IPv6 in the Service Principal Names (SPN) of the CIFS server machine account. If there is no match, the KDC returns KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN and the client may fall back to NTLM.

Common triggers:

  • Missing HOST/<short-hostname> or HOST/<FQDN> SPN entries on the CIFS server machine account in Active Directory
  • Drive mappings use the short hostname (for example, \\sdf\share) but only the FQDN SPN is registered
  • NTLM is blocked via GPO to enforce Kerberos — if SPN is missing, Kerberos fails and the NTLM fallback is also blocked, causing access to fail entirely
  • Renaming a cluster or SVM without updating SPNs

Solution

Determine the hostname, alias, or FQDN used to access the storage. This hostname must resolve to one or more of the LIFs owned by the SVM. Configure the desired hostname as an SPN on the CIFS server machine account.

Step 1: List current SPNs on the CIFS machine account

From a domain-joined Windows host with Active Directory permissions:

setspn -L <CIFS-machine-account>

Look for HOST/<short-hostname> and HOST/<FQDN> entries. If either is missing, proceed to Step 2.

Step 2: Add missing SPN entries

Use the -S switch to add SPNs with duplicate checking:

setspn -S HOST/<short-hostname> <CIFS-machine-account>
setspn -S HOST/<FQDN> <CIFS-machine-account>

Step 3: Flush the client Kerberos cache and verify

Allow a few minutes for Active Directory replication, then from the Windows client:

klist purge
net use * /delete
net use \\<server>\<share> /persistent:yes
klist

The klist output should show a Kerberos ticket for cifs/<FQDN>.

Note: Drive mappings that use an IP address will always fall back to NTLM. Kerberos requires a hostname or FQDN — update drive mappings accordingly.

Partner Notes

partnerNotes_text

Additional Information

To use an IP address for SPN, there are some requirements but the process is similar as outlined by Microsoft — Syntax for setspn CLI command.

To confirm the authentication method per connected client from ONTAP:

vserver cifs session show -fields auth-mechanism

To confirm the CIFS server name matches the machine account used with setspn:

vserver cifs show -vserver <svm-name>

Internal Notes

internalNotes_text

Sign in to view the entire content of this KB article.

New to NetApp?

Learn more about our award-winning Support

NetApp provides no representations or warranties regarding the accuracy or reliability or serviceability of any information or recommendations provided in this publication or with respect to any results that may be obtained by the use of the information or observance of any recommendations provided herein. The information in this document is distributed AS IS and the use of this information or the implementation of any recommendations or techniques herein is a customer's responsibility and depends on the customer's ability to evaluate and integrate them into the customer's operational environment. This document and the information contained herein may be used solely in connection with the NetApp products discussed in this document.