ONTAP Discussions

Windows 11 24H2 access old OnTap problem

chinchillaking
3,476 Views

Hi All,

 

customer new Windows 11 24H2 with AD 2022 access OnTap 9.2 failed and event show display client use "NTLMv2" auth, but exist all Windows client include Windows 11 23H2 no problem and event show display client use "Kerberos"

 

we try test Windows 11 24H2 with AD 2019 access OnTap simulator 9.2, 9.7, 9.9.1, 9.10.1, 9.11.1, 9.12.1 and 9.13.1 SVM FQDN as below

 

- Windows 11 24H2 and SVM use default setting > Windows 11 24H2 access OnTap 9.2, 9.7, 9.9.1, 9.10.1, 9.11.1 and 9.12.1 failed and OnTap event show display client use "NTLMv2" auth same as customer issue, but access 9.13.1 successful and cifs session show client use Kerberos

 

- all OnTap SVM setup "cifs security modify -is-aes-encryption-enabled true" except 9.13.1 because AES encryption enable by default > Windows 11 24H2 access OnTap 9.2, 9.7, 9.9.1, 9.10.1, 9.11.1 and 9.12.1 failed, but access 9.13.1 successful

 

- Windows 11 24H2 setup "Set-SMbClientConfiguration -BlockNTLM $true" > Windows 11 24H2 access OnTap 9.2, 9.7, 9.9.1 and 9.10.1 failed, but access 9.11.1, 9.12.1 and 9.13.1 successful

 

- Windows 11 24H2 setup "Set-SmbClientConfiguration -EnableInsecureGuestLogons $true" > Windows 11 24H2 access OnTap 9.2, 9.7, 9.9.1 and 9.10.1 failed, but access 9.11.1, 9.12.1 and 9.13.1 successful

 

- Windows 11 24H2 setup "Set-SmbClientConfiguration -RequireSecuritySignature $false" > Windows 11 24H2 access OnTap 9.2, 9.7, 9.9.1 and 9.10.1 failed, but access 9.11.1, 9.12.1 and 9.13.1 successful

 

We cannot found any combability issue about Windows 11 24H2 with old OnTap in google or NetApp KB site, any idea?


Best regards

 

2 REPLIES 2

CristianoRossi
3,440 Views

I think part of the problem is related to  CVE-2022-38023 (Netlogon signing) issue.

 

Older ONTAP versions does not have the fix and the NTLM authentication will fail. 

To understand the reason for the fallback to NTLM it could be beneficial to look at secd log and determine the cause (probably AES disabled by default in older versions)

chinchillaking
3,412 Views

Hi CristianoRossi,

 

Thanks your advise. From 9.2 to 9.10.1, we try enable SVM AES encryption cifs security modify -is-aes-encryption-enabled true but still have access issue. We suspect Win11 24H2 combability issue with old OnTap.

 

Best regards

Public