ONTAP Guidance for Microsoft Security Update KB5073381 (CVE‑2026‑20833)
Applies to
- ONTAP 9
- Cloud Volumes ONTAP (CVO)
- CIFS/SMB with Kerberos authentication
- Active Directory (AD)
- Microsoft Security Update KB5073381
- CVE-2026-20833
Answer
- Per How to manage Kerberos KDC usage of RC4 for service account ticket issuance changes related to CVE-2026-20833 this change only negatively impacts:
Accounts that do not have a value set for the msds-SupportedEncryptionTypes Active Directory attribute
- By default, ONTAP always sets a value for msds-SupportedEncryptionTypes when the CIFS server is joined to Windows Active Directory
- Consequently, this change should not impact most ONTAP CIFS servers
- However, in rare cases, if a DC-side problem causes the msds-SupportedEncryptionTypes Active Directory attribute to be blank, the CIFS server will be impacted
- Question: How can we check whether our CIFS server is going to be disrupted by this CVE-fix?
- If Powershell or the Active Directory Attibute Editor show that the CIFS server's machine account in Active Directory does not have a value set for the msds-SupportedEncryptionTypes attribute, then the CIFS server will be disrupted by the CVE-fix
- In the below examples,
msDS-SupportedEncryptionTypesdoes not have a value set, so the CVE-fix will be disrupt the CIFS serverPS> get-adcomputer svm1 -properties * | select msDS-SupportedEncryptionTypes,KerberosEncryptionType msDS-SupportedEncryptionTypes KerberosEncryptionType ----------------------------- ---------------------- {}
- In the below example,
msDS-SupportedEncryptionTypeshas a value set, so the CVE-fix will not disrupt the CIFS serverPS> get-adcomputer svm1 -properties * | select msDS-SupportedEncryptionTypes,KerberosEncryptionType msDS-SupportedEncryptionTypes KerberosEncryptionType ----------------------------- ---------------------- 4 {RC4}
- If the msds-SupportedEncryptionTypes Active Directory attribute is blank, populate it using the steps in the below KB
Cannot change security encryption types on a vserver error: LDAP attribute missing
- Question: What are the symptom of being impacted.
- AD Machine account is missing configured encryption types. (this is the single defining signature for this issue)
How to check supported encryption types for Kerberos in Active Directory
-
- CIFS access denied via hostname
Windows cannot access \\hostname
Error code: 0x80004005
Unspecified error
-
- Access via IP works
- Packet capture shows session setup response of
KRB5KRB_AP_ERR_MODIFIED - Secd contains
KRB5KRB_AP_ERR_NOT_US
-
klistshows that the client host lacks a working Kerberos ticket for the SVMcifs password-resetfails with
Error: command failed: Password update failed. Reason SecD Error: LDAP attribute missing.
Additional Information
- Microsoft identifies RC4 as a weak encryption type and recommends transitioning Kerberos environments to AES (AES‑128 / AES‑256).
- ONTAP shares the same guidance and recommends disabling RC4 for Kerberos authentication and using AES‑128 / AES‑256.
- To mitigate RC4-related risks, configure the CIFS server to use AES‑128 / AES‑256.
- SVMs created in ONTAP 9.13.1 and after have AES enabled by default, so they will not be disrupted by the CVE-fix
- SVMs created before ONTAP 9.13.1 do not have AES enabled by defaullt, so AES will need to be enabled manually
- Question: When is this change scheduled to occur?
- January 2026: Audit phase
- April 2026: AES becomes the default (RC4 fallback disabled)
- July 2026: Full RC4 deprecation (enforcement)
- To view the SVM's currently enabled Kerberos encryption types, run
cifs security show -vserver svm1 -fields advertised-enc-types
- To find the name of the SVM's Active Directory machine account
cifs show -vserver svm1 -fields cifs-server
- Question: What happens to existing
RC4-encrypted Kerberos service tickets after switching fromRC4/DEStoAES?- When the client presents its
RC4‑encryptedticket to ONTAP, ONTAP cannot decrypt it, so Kerberos authentication fails - After a failed Kerberos authentication attempt, the client should automatically request a new
AES‑encryptedticket from the KDC - Consequently, the failure is not visible to the end-user
- When the client presents its
- Question: How do we manually force the client to request a new AES‑encrypted ticket from the KDC?
In the client's Powershell, run klist purge
- Question: Do we need to remove
rc4anddesfrom ONTAP to comply with the Microsoft KB? (ONTAP has 4 permitted Kerberos encryption types:aes-256, aes-128, rc4, des)- Theoretically, No; If
AES‑128orAES‑256is enabledin ONTAP, ONTAP does not requireRC4orDESto be removed.- Microsoft’s phased deprecation plan disables
RC4fallback on the KDC/Windows side, not on the storage side. - Once Windows AD and clients stop issuing or accepting
RC4tickets, the remaining ONTAPRC4/DESadvertisement becomes irrelevant. - Note: Starting from ONTAP 9.13.1,
AESis enabled by default for Kerberos authentication without requiring manual configuration.
- Microsoft’s phased deprecation plan disables
- Practically, Yes; Netapp recommends disabling
RC4andDESas a precaution, as those encryption types are insecure and in some instances been observed to cause bad interactions with DCs
- Theoretically, No; If
SMB share slow to load because DC does not accept RC4 encryption
- Active IQ Wellness Risk: Enable CIFS AES Kerberos Encryption
- How to manage Kerberos KDC usage of RC4 for service account ticket issuance changes related to CVE-2026-20833
- Cannot change security encryption types on a vserver error: LDAP attribute missing
- What is the impact of enabling AES for Kerberos in ONTAP
- CIFS access denied via hostname in ONTAP due to missing encryption types on CIFS server machine account
- Windows cannot access \\hostname because msDS-SupportedEncryptionTypes is not set