Skip to main content
NetApp Knowledge Base

What's the impact of using 'SYSTEM' authentication of a service when accessing SMB Shares

Views:
133
Visibility:
Public
Votes:
3
Category:
not set
Specialty:
not set
Last Updated:

Applies to

  • ONTAP 9
  • Windows Services

Answer

  • When a service uses SYSTEM, authentication is presented to the SMB server as the machine account user.  
  • The Windows OS determines if its possible to use Kerberos or if it must use NTLM to authenticate
  • ONTAP allows machine accounts to authenticate via NTLM & Kerberos
  • If the client uses NTLM to authenticate:
    • Each CIFS session will require the SMB server to reach out to the domain controller (DC) to validate the credentials passed
    • If a CIFS session is not reused, each file operation will open a new CIFS session and require credential validation via the DC
      • A service that reads {x} files will cause {x} password validations from the SMB server to the DC (potentially very taxing)
      • This issue compounds exponentially when the DC begins to slow down from the excess validation, potentially resulting in high authentication latency for new sessions
  • If the client uses Kerberos to authenticate, the client will simply resubmit the service ticket when opening new sessions
    • While this incurs a minimal penalty to decrypt the ticket, this authentication workflow is generally less susceptible to latency in addition to being more secure

 

NetApp provides no representations or warranties regarding the accuracy or reliability or serviceability of any information or recommendations provided in this publication or with respect to any results that may be obtained by the use of the information or observance of any recommendations provided herein. The information in this document is distributed AS IS and the use of this information or the implementation of any recommendations or techniques herein is a customer's responsibility and depends on the customer's ability to evaluate and integrate them into the customer's operational environment. This document and the information contained herein may be used solely in connection with the NetApp products discussed in this document.