topic It seems that RC4 doesn't work for CIFS connections in ONTAP Discussions

It seems that RC4 doesn't work for CIFS connections

AlexeyF — Wed, 04 Jun 2025 09:51:23 GMT

We have FAS8040 with ONTAP 9.5 with a CIFS server.

It has the following security settings:

Vserver: SVM_CIFS

Kerberos Clock Skew: 5 minutes
Kerberos Ticket Age: 10 hours
Kerberos Renewal Age: 7 days
Kerberos KDC Timeout: 3 seconds
Is Signing Required: false
Is Password Complexity Required: true
Use start_tls for AD LDAP connection: false
Is AES Encryption Enabled: false
LM Compatibility Level: lm-ntlm-ntlmv2-krb
Is SMB Encryption Required: false
Client Session Security: -
SMB1 Enabled for DC Connections: system-default
SMB2 Enabled for DC Connections: system-default
LDAP Referral Enabled For AD LDAP connections: false
Use LDAPS for AD LDAP connection: false

After we've changed msDS-SupportedEncryptionTypes of SVM_CIFS in AD from 6 to 28 authentification via Kerberos ceased to work. I can see from the settings that AES is not enables but as far as I understood, RC4 is enabled always.

Taking into account that RC4 is present in 6 and 28 and it works with 6 but not with 28 I can make a conclusion that only DES can be used by NetApp in our case.

Any explanations why it could happen? Any ideas on how to debug it?

Thanks

msDS-SupportedEncryptionTypes:
6 (DES_CBC_MD5 | RC4_HMAC_MD5)
28 (RC4_HMAC_MD5 | AES128_CTS_HMAC_SHA1_96 | AES256_CTS_HMAC_SHA1_96)

Re: It seems that RC4 doesn't work for CIFS connections

Ontapforrum — Fri, 24 Mar 2023 20:50:17 GMT

Different protocols have their own method of interaction with Kerberos services, hence all encryption types are not mutually supported across protocols. As a best practice, AES should be used by default.

What Kerberos Encryption Types are supported with NAS protocols for ONTAP 9?

https://kb.netapp.com/Advice_and_Troubleshooting/Data_Storage_Software/ONTAP_OS/What_Kerberos_Encryption_Types_are_supported_with_NAS_protocols_for_ONTAP_9

What is the impact of setting is-aes-encryption-enabled to TRUE?

https://kb.netapp.com/Advice_and_Troubleshooting/Data_Storage_Software/ONTAP_OS/What_is_the_impact_of_setting_is-aes-encryption-enabled_to_TRUE

Re: It seems that RC4 doesn't work for CIFS connections

AlexeyF — Mon, 27 Mar 2023 10:09:22 GMT

@Ontapforrum thanks for the link !

I'm surprised to find out that RC4 is not in the list of supported algorithms.

because of this KB I understood that it was used for Kerberos authentication 🙂

Can RC4 encryption for Kerberos-based communication be disabled - NetApp Knowledge Base

Re: It seems that RC4 doesn't work for CIFS connections

Ontapforrum — Mon, 27 Mar 2023 10:37:58 GMT

Yes, that kb can be confusing due to its wording. In any case, I think due to number of vulnerabilities associated with RC4 Ciphers, NetApp strongly recommends AES.