Can DES encryption for Kerberos-based communication be disabled on a CIFS server?
Applies to
- ONTAP 9.12+
- CIFS
- Kerberos
- Data Encryption Standard (DES)
- Domain Controller (DC)
Answer
- Yes, this is possible, depending on the ONTAP 9 version
- On versions with enhancement 1438811 configure the advertised encryption types for cifs security and do not include DES
- The options on 9.12 include des, rc4, aes-128, and aes-256
- Example showing the value being set to aes-128,aes-256 so that neither DES nor RC4 are used
::> cifs security modify -vserver vserver -advertised-enc-types aes-256,aes-128
::> cifs security modify -vserver vserver -advertised-enc-types aes-256,aes-128
- Verification
::> cifs security show -vserver vserver -fields advertised-enc-types
vserver advertised-enc-types
----------- --------------------
vserver aes-256,aes-128
- Can I disable RC4 encryption for Kerberos-based communication
- On versions with enhancement 1438811 configure the advertised encryption types for cifs security and do not include DES
Additional Information
- ONTAP Requirements for CIFS Kerberos
- Configure strong security for Kerberos-based communication by using AES encryption
- What Kerberos Encryption Types are supported with NAS protocols for ONTAP 9?
- Manage SMB server security settings ONTAP 9
- Can I disable RC4 for AES encryption for Kerberos-based communication?
- CIFS password change fails silently leading to secd: secd.kerberos.preauth:error after Microsoft April 2022 Hotfixes
- Command "cifs domain password schedule" fails with "secd.kerberos.preauth"