ONTAP Discussions

It seems that RC4 doesn't work for CIFS connections

AlexeyF
3,632 Views

Hi

We have FAS8040 with ONTAP 9.5 with a CIFS server.

 

It has the following security settings:

Vserver: SVM_CIFS

Kerberos Clock Skew: 5 minutes
Kerberos Ticket Age: 10 hours
Kerberos Renewal Age: 7 days
Kerberos KDC Timeout: 3 seconds
Is Signing Required: false
Is Password Complexity Required: true
Use start_tls for AD LDAP connection: false
Is AES Encryption Enabled: false
LM Compatibility Level: lm-ntlm-ntlmv2-krb
Is SMB Encryption Required: false
Client Session Security: -
SMB1 Enabled for DC Connections: system-default
SMB2 Enabled for DC Connections: system-default
LDAP Referral Enabled For AD LDAP connections: false
Use LDAPS for AD LDAP connection: false

 

 

After we've changed msDS-SupportedEncryptionTypes of SVM_CIFS in AD from 6 to 28 authentification via Kerberos ceased to work. I can see from the settings that AES is not enables but as far as I understood, RC4 is enabled always.

Taking into account that RC4 is present in 6 and 28 and it works with 6 but not with 28 I can make a conclusion that only DES can be used by NetApp in our case.

 

Any explanations why it could happen? Any ideas on how to debug it?

Thanks

 

 

msDS-SupportedEncryptionTypes:
6 (DES_CBC_MD5 | RC4_HMAC_MD5)
28 (RC4_HMAC_MD5 | AES128_CTS_HMAC_SHA1_96 | AES256_CTS_HMAC_SHA1_96)

1 ACCEPTED SOLUTION

Ontapforrum
3,591 Views

Different protocols have their own method of interaction with Kerberos services, hence all encryption types are not mutually supported across protocols. As a best practice, AES should be used by default.

 

What Kerberos Encryption Types are supported with NAS protocols for ONTAP 9?

https://kb.netapp.com/Advice_and_Troubleshooting/Data_Storage_Software/ONTAP_OS/What_Kerberos_Encryption_Types_are_supported_with_NAS_protocols_for_ON...

 

 

What is the impact of setting is-aes-encryption-enabled to TRUE?

https://kb.netapp.com/Advice_and_Troubleshooting/Data_Storage_Software/ONTAP_OS/What_is_the_impact_of_setting_is-aes-encryption-enabled_to_TRUE

 

View solution in original post

3 REPLIES 3

Ontapforrum
3,592 Views

Different protocols have their own method of interaction with Kerberos services, hence all encryption types are not mutually supported across protocols. As a best practice, AES should be used by default.

 

What Kerberos Encryption Types are supported with NAS protocols for ONTAP 9?

https://kb.netapp.com/Advice_and_Troubleshooting/Data_Storage_Software/ONTAP_OS/What_Kerberos_Encryption_Types_are_supported_with_NAS_protocols_for_ON...

 

 

What is the impact of setting is-aes-encryption-enabled to TRUE?

https://kb.netapp.com/Advice_and_Troubleshooting/Data_Storage_Software/ONTAP_OS/What_is_the_impact_of_setting_is-aes-encryption-enabled_to_TRUE

 

AlexeyF
3,505 Views

@Ontapforrum thanks for the link !

I'm surprised to find out that RC4 is not in the list of supported algorithms. 

because of this KB I understood that it was used for Kerberos authentication 🙂

 Can RC4 encryption for Kerberos-based communication be disabled - NetApp Knowledge Base

Ontapforrum
3,496 Views

Yes, that kb can be confusing due to its wording. In any case, I think due to number of vulnerabilities associated with RC4 Ciphers, NetApp strongly recommends AES.

Public