Why is Kerberos authentication working when machine account is deleted?
Applies to
- ONTAP 9
- CIFS/SMB
- Kerberos
Answer
- Kerberos authentication is based on ticket granted by the KDC (usually the Domain Controller) and the ticket is cached on client side until it expires.
- When the machine account is disabled or even deleted the client will use the already granted ticket until its expiration without checking on KDC if the machine account is valid or existing.
Example: a CIFS session already granted will continue to work even when permissions are revoked, due to the existing ticket already shared with ONTAP. - This is expected behaviour.
Additional Information
additionalInformation_text