ONTAP Discussions

ONTAP 9: Active Directory Authentication Failed


I'm trying to set up AD authentication so that AD administrators can access the CLI and System Manager using their AD accounts


1. I've run CIFS setup and added a data SVM to AD, the SVM is called 'svm-hostname' and the computer account (CIFS server) is called 'hostname-cifs'

2. I've run the command >security login domain-tunnel create -vserver svm-hostname

3. I've then run the command '>security login create -vserver hostname -user-or-group-name "AD SEC GRP" -application ontapi -authentication-method domain -role admin'

4. I've repeated the above for ssh and http


hostname::> security login show


Vserver: hostname


User/Group                 Authentication                 Acct   Authentication

Name           Application Method        Role Name        Locked Method

-------------- ----------- ------------- ---------------- ------ --------------

AD SEC GRP     http        domain        admin            -      none

AD SEC GRP     ontapi      domain        admin            -      none

AD SEC GRP     ssh         domain        admin            -      none

admin          console     password      admin            no     none

admin          http        password      admin            no     none

admin          ontapi      password      admin            no     none

admin          service-processor

                           password      admin            no     none

admin          ssh         password      admin            no     none

autosupport    console     password      autosupport      no     none



I've tried various ways of login in with my AD account but I still keep getting access denied - any ideas?


Is it because the AD computer name ('hostname-cifs') is different to the data svm ('svm-hostname')






  Please find the link below that talks about how to login to SM using AD groups.






Guys and Gals: 

That link  is broke you provided. You might want to fix that.

I seem to be going though the same steps.

My tunnel is created, My CIFS Server is created. I know through trial and error you cannot have that same Vserver run CIFS and have a computer account create a computer with the same time. The Docs never really say when a CIFS Server is created it actually creates a computer account. Via this error in 9.5. A CIFS server for this Vserver already exists. Having both a CIFS server and an Active Directory account for the same Vserver is not supported. ( Cause it already created it )  Use the "vserver cifs delete" command to delete the existing CIFS server ( ACCOUNT) and try the command again. With the command that failed being. create -vserver XXXXNASDADAD -account-nameXXXXNASDADAD -domain something.something.net -ou CN  . Its seems the people that write on the docs and the people that do it are once removed. ( Are different folks.)  



Thanks for th link. It looks like it covers the steps that I have compleed above