What's the impact of using 'SYSTEM' authentication of a service when accessing SMB Shares
Applies to
- ONTAP 9
- Windows Services
Answer
- When a service uses SYSTEM, authentication is presented to the SMB server as the machine account user.
- The Windows OS determines if its possible to use Kerberos or if it must use NTLM to authenticate
- ONTAP allows machine accounts to authenticate via NTLM & Kerberos
- If the client uses NTLM to authenticate:
- Each CIFS session will require the SMB server to reach out to the domain controller (DC) to validate the credentials passed
- If a CIFS session is not reused, each file operation will open a new CIFS session and require credential validation via the DC
- A service that reads {x} files will cause {x} password validations from the SMB server to the DC (potentially very taxing)
- This issue compounds exponentially when the DC begins to slow down from the excess validation, potentially resulting in high authentication latency for new sessions
- If the client uses Kerberos to authenticate, the client will simply resubmit the service ticket when opening new sessions
- While this incurs a minimal penalty to decrypt the ticket, this authentication workflow is generally less susceptible to latency in addition to being more secure