https://community.netapp.com/t5/Network-and-Storage-Protocols/Ontap-9-3-how-to-set-quot-LM-Compatibility-Level-quot-to-krb-only/m-p/143849#M9125 <P>Hi,</P> <P>You are correct.&nbsp;</P> <P>::&gt; vserver vscan scanner-pool create -vserver svm1 -scanner-pool vijay_pool1 -hostnames xx.xx.xx.xx -privileged-users administrator@naslab.local<BR />Error: command failed: The privileged user name "administrator@naslab.local" is invalid. A valid privileged user name must be in the form "domain-name\user-name".</P> <P>&nbsp;</P> <P>But i dont think we need to add anywhere in the format user@domain. With domain\user Kerberos works well. kerberos is possible if SPN is present for the host principal.&nbsp;</P> <P>&nbsp;</P> <P>If i have a packet trace i can say why NTLM is selected over Kerberos.&nbsp;</P> <P>I would recommend to open a support case to check if the VSCAN LIF's are properly configured with SPN's added for it so that VSCAN can connect to SVM using Kerberos authentication.</P> <P>&nbsp;</P> Fri, 12 Oct 2018 05:40:49 GMT Vijay_ramamurthy 2018-10-12T05:40:49Z https://community.netapp.com/t5/Network-and-Storage-Protocols/Ontap-9-3-how-to-set-quot-LM-Compatibility-Level-quot-to-krb-only/m-p/140553#M9020 <P>Hi,</P> <P>&nbsp;</P> <P>our security guy wants to limit the&nbsp;&nbsp;LM Compatibility Level to krb only.</P> <P>Now I tried that. This works fine, if a user is already authenticated in domain and has a kerboeros ticket.</P> <P>But, Users with fresh logins (f.e. the VSCAN User in the DOMAIN\USER format) can't longer login.</P> <P>After I set it to&nbsp;ntlmv2-krb, it works again.</P> <P>Ontap does not accept users in the user@domain format.</P> <P>&nbsp;</P> <P>Any hint?</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>Regards..</P> Wed, 04 Jun 2025 13:40:37 GMT https://community.netapp.com/t5/Network-and-Storage-Protocols/Ontap-9-3-how-to-set-quot-LM-Compatibility-Level-quot-to-krb-only/m-p/140553#M9020 Samson_the_bear 2025-06-04T13:40:37Z https://community.netapp.com/t5/Network-and-Storage-Protocols/Ontap-9-3-how-to-set-quot-LM-Compatibility-Level-quot-to-krb-only/m-p/140713#M9022 <P>Hi there,</P> <P>&nbsp;</P> <P>My suggestion would be to open a ticket with our support centre for this query, as it may require more in-depth troubleshooting than would be normal for a message forum like this, it may also involve using and analysing packet captures from the systems, which most customers aren't fans of sharing publicly.</P> Tue, 05 Jun 2018 02:13:23 GMT https://community.netapp.com/t5/Network-and-Storage-Protocols/Ontap-9-3-how-to-set-quot-LM-Compatibility-Level-quot-to-krb-only/m-p/140713#M9022 AlexDawson 2018-06-05T02:13:23Z https://community.netapp.com/t5/Network-and-Storage-Protocols/Ontap-9-3-how-to-set-quot-LM-Compatibility-Level-quot-to-krb-only/m-p/143737#M9119 <P>So When you change the&nbsp;LM Compatibility Level" to krb only then only kerberos authentication is accepted by SVM.</P> <P>So if client connects to SVM selecting&nbsp; NTLM authentication then SVM will fail the request.&nbsp;</P> <P>&nbsp;</P> <P>I dont think the issue is because or the user account rather i think the client is trying to use NTLM authentication when connecting to SVM. Since KRB is the only authentication allowed , client fails to connect.&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>Wheneven client connects to SVM using IP address , only NTLM authentication will happen.&nbsp; So if&nbsp;<SPAN>LM Compatibility Level" to krb only then those client connections will fail.&nbsp;</SPAN></P> <P>&nbsp;</P> <P><SPAN>If the issue is seen with VSCAN user account , then it could be because of VSCAN connection is not configured for Kerberos.</SPAN></P> <P><SPAN>For Kerberos authentication to work for the AV communication, create a DNS entry[HOST(A) record] for the data LIF used for VSCAN connection and a service principal name[ use setspn -s to add SPN entry] on the DC corresponding to the DNS entry created for the data LIF. Use this name when adding a LIF to the AV Connector. The DNS should be able to return a unique name for each data LIF connected to the AV Connector.</SPAN></P> <P><SPAN>&nbsp;</SPAN></P> Thu, 11 Oct 2018 12:44:40 GMT https://community.netapp.com/t5/Network-and-Storage-Protocols/Ontap-9-3-how-to-set-quot-LM-Compatibility-Level-quot-to-krb-only/m-p/143737#M9119 Vijay_ramamurthy 2018-10-11T12:44:40Z https://community.netapp.com/t5/Network-and-Storage-Protocols/Ontap-9-3-how-to-set-quot-LM-Compatibility-Level-quot-to-krb-only/m-p/143738#M9120 <P>HI,</P> <P>&nbsp;</P> <P>thx. Did you tried&nbsp; that?</P> <P>The data LIF has been already configured for kerberos.</P> <P>The is done by the configuration wizard for the CIFS svm.</P> <P>But the problerm persists: I can't use an account in kerberos format ( user@fqdn, "myadmin@my-enterprise.com") for the VSCAN-User.&nbsp;</P> <P>Users with "Domain\account" only made NTLM.</P> <P>The command</P> <P><EM>vserver vscan scanner-pool create -vserver data_SVM|cluster_admin_SVM -</EM><BR /><EM>scanner-pool scanner_pool -hostnames Vscan_server_hostnames -privilegedusers</EM><BR /><EM>privileged_users</EM></P> <P>does not allow the kerberos format for "<SPAN>privileged_users".</SPAN></P> <P>Try it by yourselve.&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> Thu, 11 Oct 2018 13:02:07 GMT https://community.netapp.com/t5/Network-and-Storage-Protocols/Ontap-9-3-how-to-set-quot-LM-Compatibility-Level-quot-to-krb-only/m-p/143738#M9120 Samson_the_bear 2018-10-11T13:02:07Z https://community.netapp.com/t5/Network-and-Storage-Protocols/Ontap-9-3-how-to-set-quot-LM-Compatibility-Level-quot-to-krb-only/m-p/143849#M9125 <P>Hi,</P> <P>You are correct.&nbsp;</P> <P>::&gt; vserver vscan scanner-pool create -vserver svm1 -scanner-pool vijay_pool1 -hostnames xx.xx.xx.xx -privileged-users administrator@naslab.local<BR />Error: command failed: The privileged user name "administrator@naslab.local" is invalid. A valid privileged user name must be in the form "domain-name\user-name".</P> <P>&nbsp;</P> <P>But i dont think we need to add anywhere in the format user@domain. With domain\user Kerberos works well. kerberos is possible if SPN is present for the host principal.&nbsp;</P> <P>&nbsp;</P> <P>If i have a packet trace i can say why NTLM is selected over Kerberos.&nbsp;</P> <P>I would recommend to open a support case to check if the VSCAN LIF's are properly configured with SPN's added for it so that VSCAN can connect to SVM using Kerberos authentication.</P> <P>&nbsp;</P> Fri, 12 Oct 2018 05:40:49 GMT https://community.netapp.com/t5/Network-and-Storage-Protocols/Ontap-9-3-how-to-set-quot-LM-Compatibility-Level-quot-to-krb-only/m-p/143849#M9125 Vijay_ramamurthy 2018-10-12T05:40:49Z https://community.netapp.com/t5/Network-and-Storage-Protocols/Ontap-9-3-how-to-set-quot-LM-Compatibility-Level-quot-to-krb-only/m-p/143855#M9126 <P>My problem was: After I had set&nbsp;<SPAN>LM Compatibility Level to krb only (and restartet the CFIS SVM), I can't longer login using "DOMAIN\USER" at all. Only logins with an valid kerberos ticket are working. Direct logins at the CIFS SVM using "domain\user" won't work. But logins using the UPN are working.</SPAN></P> <P><SPAN>Sorry, I can't cross check this for now, because the CIFS SVM must restarted for this configuration change.</SPAN></P> <P>&nbsp;</P> <P><SPAN>With&nbsp;ntlmv2-krb, I can login using DOMAIN\USER an I get the&nbsp;auth-mechanism kerberos.</SPAN></P> <P><SPAN>Checked using "vserver cifs session show -vserver my_cifs_server -fields auth-mechanism,netbios-name,address"</SPAN></P> <P><SPAN>This is my problem.&nbsp;</SPAN></P> <P>&nbsp;</P> <P><SPAN>Can you check this an your device?</SPAN></P> <P>&nbsp;</P> Fri, 12 Oct 2018 08:13:57 GMT https://community.netapp.com/t5/Network-and-Storage-Protocols/Ontap-9-3-how-to-set-quot-LM-Compatibility-Level-quot-to-krb-only/m-p/143855#M9126 Samson_the_bear 2018-10-12T08:13:57Z