ONTAP Discussions

It seems that RC4 doesn't work for CIFS connections

AlexeyF
4,203 Views

Hi

We have FAS8040 with ONTAP 9.5 with a CIFS server.

 

It has the following security settings:

Vserver: SVM_CIFS

Kerberos Clock Skew: 5 minutes
Kerberos Ticket Age: 10 hours
Kerberos Renewal Age: 7 days
Kerberos KDC Timeout: 3 seconds
Is Signing Required: false
Is Password Complexity Required: true
Use start_tls for AD LDAP connection: false
Is AES Encryption Enabled: false
LM Compatibility Level: lm-ntlm-ntlmv2-krb
Is SMB Encryption Required: false
Client Session Security: -
SMB1 Enabled for DC Connections: system-default
SMB2 Enabled for DC Connections: system-default
LDAP Referral Enabled For AD LDAP connections: false
Use LDAPS for AD LDAP connection: false

 

 

After we've changed msDS-SupportedEncryptionTypes of SVM_CIFS in AD from 6 to 28 authentification via Kerberos ceased to work. I can see from the settings that AES is not enables but as far as I understood, RC4 is enabled always.

Taking into account that RC4 is present in 6 and 28 and it works with 6 but not with 28 I can make a conclusion that only DES can be used by NetApp in our case.

 

Any explanations why it could happen? Any ideas on how to debug it?

Thanks

 

 

msDS-SupportedEncryptionTypes:
6 (DES_CBC_MD5 | RC4_HMAC_MD5)
28 (RC4_HMAC_MD5 | AES128_CTS_HMAC_SHA1_96 | AES256_CTS_HMAC_SHA1_96)

1 ACCEPTED SOLUTION
AlexeyF has accepted the solution

Ontapforrum
4,162 Views

Different protocols have their own method of interaction with Kerberos services, hence all encryption types are not mutually supported across protocols. As a best practice, AES should be used by default.

 

What Kerberos Encryption Types are supported with NAS protocols for ONTAP 9?

https://kb.netapp.com/Advice_and_Troubleshooting/Data_Storage_Software/ONTAP_OS/What_Kerberos_Encryption_Types_are_supported_with_NAS_protocols_for_ON...

 

 

What is the impact of setting is-aes-encryption-enabled to TRUE?

https://kb.netapp.com/Advice_and_Troubleshooting/Data_Storage_Software/ONTAP_OS/What_is_the_impact_of_setting_is-aes-encryption-enabled_to_TRUE

 

View solution in original post

3 REPLIES 3
AlexeyF has accepted the solution

Ontapforrum
4,163 Views

Different protocols have their own method of interaction with Kerberos services, hence all encryption types are not mutually supported across protocols. As a best practice, AES should be used by default.

 

What Kerberos Encryption Types are supported with NAS protocols for ONTAP 9?

https://kb.netapp.com/Advice_and_Troubleshooting/Data_Storage_Software/ONTAP_OS/What_Kerberos_Encryption_Types_are_supported_with_NAS_protocols_for_ON...

 

 

What is the impact of setting is-aes-encryption-enabled to TRUE?

https://kb.netapp.com/Advice_and_Troubleshooting/Data_Storage_Software/ONTAP_OS/What_is_the_impact_of_setting_is-aes-encryption-enabled_to_TRUE

 

AlexeyF
4,076 Views

@Ontapforrum thanks for the link !

I'm surprised to find out that RC4 is not in the list of supported algorithms. 

because of this KB I understood that it was used for Kerberos authentication 🙂

 Can RC4 encryption for Kerberos-based communication be disabled - NetApp Knowledge Base

Ontapforrum
4,067 Views

Yes, that kb can be confusing due to its wording. In any case, I think due to number of vulnerabilities associated with RC4 Ciphers, NetApp strongly recommends AES.

Public