Network and Storage Protocols

unable to access CNAME NetApp Share using computer account, got C199 error.

veronica
6,967 Views

Hello,

We recently got an issue that using a computer account to access a NetApp share via CNAME path doesn't work.

We have got a NetApp share created on server au01.domain.com. When using the computer account to access the share \\au01.domain.com\share$, it works fine.

We have created a cname record (storage.au.security) for this server (au01.domain.com).
When using the computer account to access the share using path \\storage.au.security\share$, it gives C199 error and error message is:

The account used is a computer account. Use your global user account or local user account to access this server.

It's basically same computer account, same share, however it doesn't work if using the cname.

Using a domain user account to access the share CNAME path works fine.

Any idea?

2 REPLIES 2

mbeattie
6,948 Views

Hi Veronica,

 

What mode and version of Data ONTAP are you running? 7-Mode or clustered Data ONTAP? It sounds like:

 

https://kb.netapp.com/support/index?page=content&id=2013374&locale=en_US

 

/matt

If this post resolved your issue, help others by selecting ACCEPT AS SOLUTION or adding a KUDO.

mbeattie
6,944 Views

Hi Veronica,

 

I think your issue is probably related to authentication using NTLM instead of Kerberos. I suspect using a computer account to access a share is not support.

 

For client access, to ensure kerberos is used when using a CName you need to ensure the service principle name property for the computer object is set for the DNS CName alias

 

https://technet.microsoft.com/en-au/library/cc731241.aspx

 

For example say i had computer account "VSERVER1" and wanted clients to be able to access it as "VS1" using kerberos instead of NTLM then you need to set the SPN for "VS1" on the "VSERVER1" computer account object. EG:

 

List the SPN's

C:\>setspn -L VSERVER1
Registered ServicePrincipalNames for CN=VSERVER1,OU=NetApp,DC=testlab,DC=local:
        HOST/VSERVER1
        HOST/vserver1.testlab.local

Register SPN’s:

C:\>setspn -A HOST/vs1.testlab.local TESTLAB\VSERVER1
Registering ServicePrincipalNames for CN=VSERVER1,OU=NetApp,DC=testlab,DC=local
        HOST/vs1.testlab.local
Updated object

C:\>setspn -A HOST/VS1 TESTLAB\VSERVER1
Registering ServicePrincipalNames for CN=VSERVER1,OU=NetApp,DC=testlab,DC=local
        HOST/VS1
Updated object

 

Check the SPN's have been updated:

 

C:\>setspn -l VSERVER1
Registered ServicePrincipalNames for CN=VSERVER1,OU=NetApp,DC=testlab,DC=local:
        HOST/VS1
        HOST/vs1.testlab.local
        HOST/vserver1.testlab.local
        HOST/VSERVER1

 

Note the additional SPN's for the computer object have been added.

 

/matt

If this post resolved your issue, help others by selecting ACCEPT AS SOLUTION or adding a KUDO.
Public