ONTAP Requirements for CIFS Kerberos
Applies to
- ONTAP 9
- Microsoft Windows
- CIFS/SMB
- Kerberos
Answer
- Kerberos is the primary authentication service for Active Directory
- Microsoft suggests restriction of NTLM authentication
- Ensuring Kerberos authentication is used from an ONTAP CIFS SVM requires the following conditions to be met:
- Follow the map the SMB server on the DNS server procedure.
- Confirm the hostname, alias, Fully Qualified Domain Name (FQDN), or IP address used in the servername section of the UNC to the access the SMB share has a registered SPN using the
setspn -lwindows command with the SVM SMB Server Name. If a matching entry to the servname used is not returned, follow How to set an SPN.
C:\>setspn -l svm1
Registered ServicePrincipalNames for CN=SVM1,CN=Computers,DC=domain,DC=local:
HOST/svm1.domain.local
HOST/SVM1
- The time difference between ONTAP and the Active Directory domain controller is not greater than the default of 5 minutes for both ONTAP and Active Directory.
- If RC4 support for Kerberos has been disabled on all domain controllers then enable AES encryption for Kerberos-based communication for the CIFS SVM.
Additional Information
- How Authentication Mechanism of established CIFS session can be identified
- CIFS/SMB is not accessible because authentication fails when the DNS alias/CNAME is not configured as an SPN
- Kerberos is an industry standard and not NetApp specific