Thanks for your message!

1.     What configurations on the client to  determine what authentication method the client decides to use? In another word, how  can I find out what method the client is using if as you said it is determined by the client?

2.    What exactly MS-DC authentication is? Comparing to KERBEROS or MS-LDAP? As you see in outputs, all type are shown as MS-DC in all my vservers here. Does that mean we are using MS-DC on the vserver, not using KERBEROS or MS-LDAP?

3.    Following is the output of the command you suggested to run. Can you tell what authentication is it using from the output?

*> diag secd connection show -vserver vserver-name1 -node node-08
[ Cache: NetLogon/abc.organiz.com ]
Queue> Waiting: 0, Max Waiting: 2, Wait Timeouts: 0, Avg Wait: 0.00ms
Performance> Hits: 106030, Misses: 171539, Failures: 94422, Avg Retrieval: 1522.32ms

+ Rank: 01 - Server: 192.5.45.8 (robotron.abc.organiz.com)
Connected through the 10.192.26.17 interface, 0.5 mins ago
Version=SMB2, Credits Available=1, Signing=On
Used 1 time(s), and has been available for 30 secs
RTT in ms: mean=21.44, min=13, max=82, med=14, dev=15.86 (29.4 mins of data)

[ Cache: LSA/ais.columbia.edu ]
Queue> Waiting: 0, Max Waiting: 1, Wait Timeouts: 0, Avg Wait: 0.00ms
Performance> Hits: 435, Misses: 3463, Failures: 2131, Avg Retrieval: 3936.59ms

(No connections active or currently cached)

[ Cache: LDAP (Active Directory)/abc.organiz.com ]
Queue> Waiting: 0, Max Waiting: 1, Wait Timeouts: 0, Avg Wait: 0.00ms
Performance> Hits: 1, Misses: 2497, Failures: 1664, Avg Retrieval: 8100.82ms

(No connections active or currently cached)

Kerberos is used if there is a valid SPN associated with the machine account that operates the CIFS server and a hostname is used to access the SMB share in older versions of Windows:

https://support.microsoft.com/en-us/help/322979/kerberos-is-not-used-when-you-connect-to-smb-shares-by-using-ip-addres

Newer versions of Windows can leverage the IP address for Kerberos:

https://docs.microsoft.com/en-us/windows-server/security/kerberos/configuring-kerberos-over-ip

Basic process is this:

- User accesses the share via hostname or IP - Windows client version decides what happens based on the connection method

- If hostname, DNS is used to look up an IP address and the hostname is also used to search for a CIFS SPN (for example, if the hostname is cifs.domain.com, then the SPN is host/cifs.domain.com)

- If an IP address is used, Windows clients prior to Windows 10 and servers/DCs prior to 2016 will fall back to NTLM; If newer clients are used, a reverse DNS lookup is used to find the hostname, which is then used to find the SPN.

- If a valid SPN exists, then Kerberos authentication is used

- If there is no valid SPN (SPN that matches the hostname used) then CIFS falls back to NTLM

- If NTLM is not allowed in the domain, auth fails

This is the same process used by any Windows client. ONTAP doesn't really have any configuration options to control this other than the initial machine account creation. That initial creation determines the CIFS SPN associated with the machine account. For example, if I create a CIFS server named CIFS, then the SPN is host/cifs.domain.com.

You can see if your Windows client has a valid SPN to the CIFS server by running "klist" on the Windows client.

Example:

C:\>klist

Current LogonId is 0:0x2e17492

Cached Tickets: (2)

#0> Client: Administrator @ NTAP.LOCAL
Server: krbtgt/NTAP.LOCAL @ NTAP.LOCAL
KerbTicket Encryption Type: AES-256-CTS-HMAC-SHA1-96
Ticket Flags 0x40e10000 -> forwardable renewable initial pre_authent name_canonicalize
Start Time: 8/25/2020 9:26:44 (local)
End Time: 8/25/2020 10:26:44 (local)
Renew Time: 9/17/2020 9:26:44 (local)
Session Key Type: AES-256-CTS-HMAC-SHA1-96
Cache Flags: 0x1 -> PRIMARY
Kdc Called: ONEWAY

#1> Client: Administrator @ NTAP.LOCAL
Server: cifs/demo.ntap.local @ NTAP.LOCAL
KerbTicket Encryption Type: AES-256-CTS-HMAC-SHA1-96
Ticket Flags 0x40a10000 -> forwardable renewable pre_authent name_canonicalize
Start Time: 8/25/2020 9:26:44 (local)
End Time: 8/25/2020 10:26:44 (local)
Renew Time: 9/17/2020 9:26:44 (local)
Session Key Type: AES-256-CTS-HMAC-SHA1-96
Cache Flags: 0
Kdc Called: ONEWAY

If you want to use an alias name, you either create a CNAME record in DNS that points back to the A record of the CIFS server or you create a new A record with that alias and a new SPN:

1> Client: Administrator @ NTAP.LOCAL
Server: cifs/demoalias.ntap.local @ NTAP.LOCAL
KerbTicket Encryption Type: AES-256-CTS-HMAC-SHA1-96
Ticket Flags 0x40a10000 -> forwardable renewable pre_authent name_canonicalize
Start Time: 8/25/2020 9:34:27 (local)
End Time: 8/25/2020 10:29:38 (local)
Renew Time: 9/17/2020 9:29:38 (local)
Session Key Type: AES-256-CTS-HMAC-SHA1-96
Cache Flags: 0
Kdc Called: ONEWAY

You can find if a valid SPN exists with:

C:\>setspn /Q cifs/demoalias.ntap.local
Checking domain DC=NTAP,DC=local
CN=DEMO,CN=Computers,DC=NTAP,DC=local
cifs/demoalias.ntap.local
cifs/demoalias
HOST/demo.ntap.local
HOST/DEMO

On the storage, you can see auth type with:

::*> cifs session show -vserver DEMO -instance

Vserver: DEMO

Node: ontap9-tme-8040-01
Session ID: 15797783067885568098
Connection ID: 4128580272
Incoming Data LIF IP Address: 10.193.67.237
Workstation IP Address: 10.193.67.236
Authentication Mechanism: Kerberos
User Authenticated as: domain-user
Windows User: NTAP\Administrator
UNIX User: administrator
Open Shares: 2
Open Files: 2
Open Other: 0
Connected Time: 7s
Idle Time: 6s
Protocol Version: SMB3
Continuously Available: No
Is Session Signed: false
NetBIOS Name: -
SMB Encryption Status: unencrypted
Large MTU Enabled: true
Connection Count: 4

Or display just the auth-mechanism with:

::*> cifs session show -vserver DEMO -fields auth-mechanism
node vserver session-id connection-id auth-mechanism
------------------ ------- -------------------- ------------- --------------
ontap9-tme-8040-01 DEMO 15797783067885568098 4128580272 Kerberos

Or you can filter only Kerberos sessions with:

::*> cifs session show -vserver DEMO -auth-mechanism Kerberos

@parisi  Thanks so much for your messages! They are very helpful to me.

60-70% of total of 1,000 Windows(VMware) here are 2016 version. The rest is older. Based on my understanding to your messages, for 2016, we should be able to use Kerberos authentication, no matter of if DNS name or IP is used. However, after checked by running “cifs session show -auth-mechanism Kerberos”, there are absolutely no sessions are using Kerberos. All of them are NTLMv2. So, that turns to the possibility as for why,  SPN may not exist in AD.

I randomly picked several Windows, and run “klist”. As the result, there are no any CIFS SPN's. It tells me that there are no valid CIFS SPN, and therefore explained why there are no Kerberos authentication.

Here are my follow-ups, if you can help me out:
1. Can you think of possible reasons why there are no CIFS SPN created?
2. To fix it, is manually creating SPN a solution?
3. What command to tell me if my initial creation of CIFS server on NetApp is using Kerberos or not, and to find out what SPN is?

Thanks again!

We have about 700 Window clients with 2016 version. None of them are using Kerberos. As far as I can see, it is due to no valid SPNs’. So, my main question was:

What could be the reason can you think of for non-existing valid SPN’s?

What is the fix to that?

I explained in the previous post why you might not have valid SPNs, how to query SPNs, etc. as well as how to fix it.

@parisi  Thanks again!

Following is an example in our case here.  Based on my understanding to your message, it did not use Kerberos as expected. Why?

cluster::*> cifs server show -vserver vserver1 -fields cifs-server, domain
vserver cifs-server domain
------- ----------- -----------------
vserver1 VSERVER1 ABC.ORG.COM

G:\>setspn /L VSERVER1
Registered ServicePrincipalNames for CN=VSERVER1,OU=NetApp,OU=Servers,OU=ABCIT,OU=Resources,DC=abc,DC=org,DC=com:
HOST/vserver1.abc.org.com
HOST/VSERVER1

G:\>nslookup                                     # there is corresponding PTR for this IP "10.192.26.45". Right?
Default Server: int-ns2.org.com
Address: 128.59.2.6

> set type=ptr
> 10.192.26.45
Server: int-ns2.org.com
Address: 128.59.2.6

Non-authoritative answer:
45.26.192.10.in-addr.arpa name = vserver1-cifs.abcit.org.com
45.26.192.10.in-addr.arpa name = vserver1-cifs-06.abcit.org.com
45.26.192.10.in-addr.arpa name = vserver1-cifs-05.abcit.org.com

# I accessed a share under this vserver using IP 10.192.26.45, but command below shows it is not using kerberos, but NTLMv2

cluster::*> cifs session show -vserver vserver1 -auth-mechanism kerberos    
There are no entries matching your query.

Your SPN uses vserver1.

Your DNS PTR points to vserver-cifs.

Those don’t match.

Add cifs/vserver1-cifs and cifs/vserver1-cifs.domain.org to the machine account, or have a DNS record vserver1.domain.org as the PTR for the IP.

By create the DNS name for CIFS server (in your example) as you suggested, I am able to use Kerberos authentication. 

There is one thing left. I don't quite understand what you said below. To me the command "C:\>nslookup 10.193.67.230 10.193.67.236" is not  valid, because nslookup can only take an IP as the argument, not two IP's. What does 10.193.67.230 and 10.193.67.236 represent respectively?

C:\>nslookup 10.193.67.230 10.193.67.236
Server: oneway.ntap.local
Address: 10.193.67.236

*** oneway.ntap.local can't find 10.193.67.230: Non-existent domain

C:\>nslookup cifs 10.193.67.236
Server: oneway.ntap.local
Address: 10.193.67.236

*** oneway.ntap.local can't find cifs: Non-existent domain

also below is not valid to me neither:

C:\>nslookup cifs 10.193.67.236
Server: oneway.ntap.local
Address: 10.193.67.236

Name: cifs.NTAP.local
Address: 10.193.67.230

When I use the IP with PRT record for that IP, Kerberos is not used. 

Hopefully, this is going to be my last question for you. You have been extremely helpful to me. 

https://man.cx/nslookup(1)

My command was:

nslookup [A record or PTR] [DNS server]

@parisi ,

Thank you for providing such useful information!

I have question according to your example for setting new SPN for the SVM account:

Is it possible for CNAME alias record - cifsalias to be set this way:

C:\>setspn -S HOST/cifsalias CIFS
Checking domain DC=NTAP,DC=local

Registering ServicePrincipalNames for CN=CIFS,CN=Computers,DC=NTAP,DC=local
HOST/cifsalias
Updated object

C:\>setspn -S HOST/cifsalias.ntap.local CIFS
Checking domain DC=NTAP,DC=local

Registering ServicePrincipalNames for CN=CIFS,CN=Computers,DC=NTAP,DC=local
HOST/cifsalias.ntap.local
Updated object

C:\>setspn /L CIFS
Registered ServicePrincipalNames for CN=CIFS,CN=Computers,DC=NTAP,DC=local:
HOST/cifsalias.ntap.local
HOST/cifsalias
HOST/cifs.ntap.local
HOST/CIFS

To configure not only  cifs service but entire HOST in SPN.

Because for example we have cifs  sessions connecting to SVM and SVM CNAME:

cifsalias

CIFS

Thank you!

As far as I know, yes, that should work. But generally, if you have a CNAME, you won't need to add another SPN; DNS will resolve to the original SPN. 

See TR-4616 for more info on page 41.

https://www.netapp.com/pdf.html?item=/media/19384-tr-4616.pdf

@parisi 

Thank you for provided information.

The problem what I am trying to fix is that cifs sessions to the CNAME alias of the SVM currently are connecting via NTLMv2 and not using Kerberos.

Cifs sessions to the SVM DNS already using Kerberos.

For example:

SVM\share - Kerberos

SVMalias\share - NTLMv2  

Also DFS links are used in our environment to access SVM and SVMalias for different shares.

I think the problem is that I have only this for SPN record:

C:\>setspn /L SVM
Registered ServicePrincipalNames for CN=SVM,CN=Computers,DC=NTAP,DC=local:

HOST/SVM.ntap.local
HOST/SVM

and modifying SPN by this way:

C:\>setspn /L SVM
Registered ServicePrincipalNames for CN=SVM,CN=Computers,DC=NTAP,DC=local:

HOST/SVM.ntap.local
HOST/SVM
HOST/SVMalias.ntap.local
HOST/SVMalias

 should fix my problem.

According to this requirements to have CIFS Kerberos sessions you need to have valid SPN:

https://kb.netapp.com/onprem/ontap/da/NAS/ONTAP_Requirements_for_CIFS_Kerberos

Do you think this will fix my problem?

It probably will, but it won't hurt anything to try it, unless you already have an SPN with that name in your environment.

Hi @parisi,

Thank you once again for your support!

I just want to provide update and confirm that configuring SPN this way for my case did fix my problem.

C:\>setspn -l SVM
Registered ServicePrincipalNames for CN=SVM,CN=Computers,DC=NTAP,DC=local:

HOST/SVM.ntap.local
HOST/SVM
HOST/SVMalias.ntap.local
HOST/SVMalias

Now CIFS sessions to both  SVM and SVMalias are using Kerberos authentication.

\\SVM\share - Kerberos

\\SVMalias\share - Kerberos

I have one more question regarding the  CIFS sessions to SVM and SVMalias coming from different domain ntap2.local is that these sessions still using NTLM authentication.

For example:

CIFS session from client from domain  ntap2.local using NTLM authentication to  SVM.ntap.local.

Domains ntap.local and ntap2.local are not trusted domains.

Do you have some information from NetApp how this can be fixed and CIFS sessions for that case can use Kerberos authentication or this is strictly Active Directory topic?

Thank you! 

A packet capture would likely tell you if it even tries Kerberos, but I suspect the issue may be that there is a missing DNS entry for the forward/reverse lookup in the domains.

Can you resolve the CIFS server name in DNS on both domains using nslookup?

Hi @parisi,

Yes nslookup is resolving CIFS server name in DNS from both domains. 

Is it possible problem to be caused, because SPN of the SVM is valid only for ntap.local domain and to have working Kerberos authentication I need also valid SPN for SVM in ntap2.local domain. 

No 100% sure, but I think you can't have the same SPN added to both domains here.

A packet trace would tell you more about why Kerberos might not be working in the other domain.