Clients using NTLM when Kerberos is expected in ONTAP
Applies to
- ONTAP 9 (all versions)
- CIFS / SMB
- Windows Active Directory with Kerberos authentication
- AFF / FAS systems
Issue
Clients are using authentication style NTLM when Kerberos is expected. This includes the following scenarios:
- A client-side packet trace shows
KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN - Windows clients receive access failures after Group Policy Object (GPO) is configured to block NTLM and enforce Kerberos authentication
kliston the Windows client shows no Kerberos ticket is obtained for the CIFS server- Event Viewer logs NTLM fallback blocked or Kerberos negotiation failure events for the NetApp CIFS server
- Network drive mappings continue failing even after SPN-related GPO changes are applied
Cause
When a client reaches out to the Key Distribution Center (KDC) and requests a ticket for a service, the KDC searches for a matching hostname, IPv4, or IPv6 in the Service Principal Names (SPN) of the CIFS server machine account. If there is no match, the KDC returns KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN and the client may fall back to NTLM.
Common triggers:
- Missing
HOST/<short-hostname>orHOST/<FQDN>SPN entries on the CIFS server machine account in Active Directory - Drive mappings use the short hostname (for example,
\\sdf\share) but only the FQDN SPN is registered - NTLM is blocked via GPO to enforce Kerberos — if SPN is missing, Kerberos fails and the NTLM fallback is also blocked, causing access to fail entirely
- Renaming a cluster or SVM without updating SPNs
Solution
Determine the hostname, alias, or FQDN used to access the storage. This hostname must resolve to one or more of the LIFs owned by the SVM. Configure the desired hostname as an SPN on the CIFS server machine account.
Step 1: List current SPNs on the CIFS machine account
From a domain-joined Windows host with Active Directory permissions:
setspn -L <CIFS-machine-account>
Look for HOST/<short-hostname> and HOST/<FQDN> entries. If either is missing, proceed to Step 2.
Step 2: Add missing SPN entries
Use the -S switch to add SPNs with duplicate checking:
setspn -S HOST/<short-hostname> <CIFS-machine-account>
setspn -S HOST/<FQDN> <CIFS-machine-account>
Step 3: Flush the client Kerberos cache and verify
Allow a few minutes for Active Directory replication, then from the Windows client:
klist purge
net use * /delete
net use \\<server>\<share> /persistent:yes
klist
The klist output should show a Kerberos ticket for cifs/<FQDN>.
Note: Drive mappings that use an IP address will always fall back to NTLM. Kerberos requires a hostname or FQDN — update drive mappings accordingly.
Partner Notes
partnerNotes_text
Additional Information
To use an IP address for SPN, there are some requirements but the process is similar as outlined by Microsoft — Syntax for setspn CLI command.
To confirm the authentication method per connected client from ONTAP:
vserver cifs session show -fields auth-mechanism
To confirm the CIFS server name matches the machine account used with setspn:
vserver cifs show -vserver <svm-name>Internal Notes
internalNotes_text
