Skip to main content
NetApp Knowledge Base

ONTAP Guidance for Microsoft Security Update KB5073381 (CVE‑2026‑20833)

  1. Last updated
  2. Save as PDF
Views:
338
Visibility:
Public
Votes:
0
Category:
ontap-9
Specialty:
nas
Last Updated:

Applies to

  • ONTAP 9
  • CIFS/SMB with Kerberos authentication
  • Active Directory (AD)
  • Microsoft Security Update KB5073381
  • CVE-2026-20833

Answer

  • Microsoft identifies RC4 as a weak encryption type and recommends transitioning Kerberos environments to AES (AES‑128 / AES‑256).
  • ONTAP shares the same guidance and  recommends disabling RC4 for Kerberos authentication and using AES‑128 / AES‑256.
  • To mitigate RC4-related risks, configure the CIFS server to use AES‑128 / AES‑256.
  • Starting from ONTAP 9.13.1, AES is enabled by default for Kerberos authentication without requiring manual configuration.

Additional Information

  • Q1.When is this change scheduled for
  1. January 2026: Audit phase

  2. April 2026: AES becomes the default (RC4 fallback disabled)

  3. July 2026: Full RC4 deprecation (enforcement)
  • Q2. What happens to existing Kerberos service tickets after switching from RC4/DES to AES?

If the CIFS server is changed to  AES‑only while clients still hold RC4‑encrypted service tickets, authentication will fail.

Why? (Kerberos flow)

  • The client has a valid TGT (valid for up to ~10 hours).
  • The client previously obtained a CIFS service ticket encrypted with RC4.
  • The ONTAP CIFS server is later reconfigured to disallow RC4 and accept AES only.
  • When the client presents its RC4‑encrypted ticket, ONTAP cannot decrypt it → Kerberos authentication fails.

How to force the client to request a new TGT and a new AES service ticket.

  • Option 1 – Client clears cached tickets automatically

If the OS/application supports automatic ticket renewal after failure, the client obtains a new AES‑encrypted ticket from the KDC.

  • Option 2 – Manually purge tickets

If the client does not renew automatically, purge the Kerberos cache:

klist purge

    • Q3. Do we need to remove rc4 and des from ONTAP to comply with the Microsoft KB?(ONTAP has 4 default encryption types: aes-256, aes-128, rc4, des)

    No. If AES‑128 or AES‑256 is enabled, ONTAP does not require RC4 or DES to be removed.

    Why?

    • Microsoft’s phased deprecation plan disables RC4 fallback on the KDC/Windows side, not on the storage side.
    • Once Windows AD and clients stop issuing or accepting RC4 tickets, the remaining ONTAP RC4/ DES advertisement becomes irrelevant.

      Note: Starting from ONTAP 9.13.1, AES is enabled by default for Kerberos authentication without requiring manual configuration.

    Other Information:

    NetApp provides no representations or warranties regarding the accuracy or reliability or serviceability of any information or recommendations provided in this publication or with respect to any results that may be obtained by the use of the information or observance of any recommendations provided herein. The information in this document is distributed AS IS and the use of this information or the implementation of any recommendations or techniques herein is a customer's responsibility and depends on the customer's ability to evaluate and integrate them into the customer's operational environment. This document and the information contained herein may be used solely in connection with the NetApp products discussed in this document.