Hi Rowl,

Have you checked the DNS server IP configured on your windows server, then verified that a DNS A and PTR records for the vserver exist on that DNS server in the correct DNS zone. IE from your server can you do a forward and reverse lookup of the vserver via hostname, fqnd and IP address using nslookup on your windows server? If so and DNS records exist then it could be a group policy issue.

Please note that the default security policy in Windows Server 2008 R2 could be preventing access to the CIFS shares depending on the security configuration on the storage.

Check the local policy on your server:

http://technet.microsoft.com/en-us/library/jj852270(v=ws.10).aspx

Check the following policy values

•    Domain Member: Digitally sign client communication (when possible)
•    Microsoft network client: Digitally sign communications (always)

What's the error message and error code you recieve in windows explorer when attempting to access the share?
Is SMB signing enabled on your storage but not on your windows server?

Do other operating systems have the same issue

Also are you attempting to access your vserver via a DNS CName alias? If so you check you have an SPN configured for the CName on your vservers AD computer account object.

Hope that provides a few troubleshooting options.

/Matt

This turned out to be an issue with the server having only SMB 1.0 enabled and the filer requiring Kerberos authentication and SMB signing. Unfortunately I got this information second hand and am not exactly sure how this was resolved. Apparently some application running on the server only worked with SMB 1.0, but that sounds like a misunderstanding to me. 

So what is the fix for this? We are having this issue as well in our environment.

We have 2008 R2 DC's in one site and 2012 R2 DC's in another. The site with 2012 R2 DC's is not having issues, but the other is.

Any idea's?

Hi,

I would advise checking there is an AD group policy that sets the SMB signing client configuration in combination with setting the a default authentication security level for you CIFS vserver. You would need to determine the correct configuration for your environment that enables all clients to connect based on the operating systems you are using. Some links to the docs:

https://docs.netapp.com/ontap-9/index.jsp?topic=%2Fcom.netapp.doc.cdot-famg-cifs%2FGUID-EE6C5170-7CF6-492C-83A6-9904AE247F21.html&lang=en

https://docs.netapp.com/ontap-9/index.jsp?topic=%2Fcom.netapp.doc.cdot-famg-cifs%2FGUID-861C90E9-A8B2-405C-9020-0C38679BD72B.html&lang=en

Also if you are accessing the CIFS vserver via a DNS CName alias ensure you have set an SPN on the AD computer object to ensure clients are able to authenticate via Kerberos rather than reverting to NTLM.

/Matt