ONTAP Recipes

ONTAP Recipes: Easily manage NetApp Storage with your corporate Active Directory (AD) login


ONTAP Recipes: Did you know you can…?


Easily manage NetApp Storage with your corporate Active Directory (AD) login credentials


This recipe will help you setup NetApp Storage admin accounts that are based on your current login accounts served by your corporate Active Directory server.

The steps illustrated below are for both cluster management vserver (SVM) and data serving SVM.




    1. Ensure that the required network settings [ipaddr, netmask, route, DNS et.al] are in place and the AD server is reachable from the interface(s) configured for the SVM [administrative and/or data SVM].
    2. The ONTAP user account to be created has to be a valid user account defined at the AD server. 

PART 1: Data SVM workflow :  


You will need an administrative account credentials for the AD server. This is needed for adding the SVM as a machine account at the AD server.

Example : The following sequence of commands is needed to create user account “vs1u1” for a data SVM “vs1” with role “vsadmin” and configure it in AD serving  domain “mydomain.com":


  1. Create the AD entry for the SVM

Cluster-1_2::>vserver active-directory create -account-name vs1 -domain mydomain.com -ou CN=Computers -vserver vs1


In order to create an Active Directory machine account, you must supply the name and password of a Windows account with sufficient privileges to add computers to the "CN=Computers" container within the "mydomain.com" domain.


Enter the user name: administrator [This is the administrator privileged account at the AD server]

Enter the password:


2. Verify the AD configuration [Also login to the AD server and verify the entry for “vs1” in the machines’ list for the configured domain]


Cluster-1_2::> vserver active-directory show


                   Account        Domain/Workgroup

Vserver     Name            Name

-----------   -------------     ------------

vs1             VS1                mydomain


3. Create the user account for the SVM. Note that the user name will be in the format <domainname>\<username>


Cluster-1_2::> security login create -user-or-group-name mydomain\vs1u1 -application ssh -authentication-method domain -role vsadmin -vserver vs1

Cluster-1_2::> security login show -user-or-group-name mydomain\vs1u1 -vserver vs1

Vserver: vs1


User/Group                                   Authentication                               Acct  

Name                  Application           Method             Role Name        Locked

--------------             -----------           ---------                 ------------          ------

mydomain\vs1u1       ssh                  domain                   vsadmin             -


4. Login to ONTAP using the account thus created


Client-host-machine> ssh mydomain\\vs1u1@vs1


vs1::> security login whoami

User: mydomain\vs1u1

Role: vsadmin



PART 2 : Administrative SVM workflow :


For the administrative SVM (cserver), a domain tunnel (tunnel vserver) needs to be created first. This establishes an authentication gateway or "tunnel" for authentication of user accounts with the Active Directory, thus enabling the login to administrative SVM


  1. Identify an already created or create a new data vserver (SVM) that is configured with the AD server as explained in PART 1 (Data SVM workflow). This is the SVM that will be specified with subsequent tunnel command. The tunnel SVM has to be running or this command will return an error. Only one SVM is allowed to be used as a tunnel. If you attempt to specify more than one SVM the system returns an error. If the tunnel Vserver is stopped or destroyed, user authentication requests for administrative SVM will fail.

The following shows example of commands needed to create login user “user_ad_ssh” for administrative SVM “Cluster-1_2”.  In this example, the SVM created in PART 1 above is re-purposed as tunnel SVM for the administrative SVM.


Cluster-1_2::> security login domain-tunnel create -vserver vs1

Cluster-1_2::> security login domain-tunnel show

Tunnel Vserver: vs1


2. Create the user


Cluster-1_2::> security login create -user-or-group-name mydomain\user_ad_ssh -application ssh -authentication-method domain -role admin -vserver Cluster-1_2

Cluster-1_2::> security login show -user-or-group-name mydomain\user_ad_ssh -vserver Cluster-1_2


Vserver: Cluster-1_2


User/Group                                               Authentication                                 Acct  

Name                                Application       Method             Role Name             Locked

--------------                           -----------         -------------        -------------         ---------

mydomain\user_ad_ssh        ssh               domain                 admin                 -


3. Login to ONTAP administrative SVM using the account thus created


Client-host-machine> ssh mydomain\\user_ad_ssh@Cluster-1_2


Cluster-1_2::> security login whoami

User: mydomain\user_ad_ssh

Role: admin


Note: Often, authentication does not work as expected due to incomplete/wrong name-services configuration. Ensure you have the right DNS, AD, ns-switch settings.


For more information, see the ONTAP 9 documentation center





Thanks for sharing this information

If this post resolved your issue, help others by selecting ACCEPT AS SOLUTION or adding a KUDO.
NetApp on Discord Image

We're on Discord, are you?

Live Chat, Watch Parties, and More!

Explore Banner

Meet Explore, NetApp’s digital sales platform

Engage digitally throughout the sales process, from product discovery to configuration, and handle all your post-purchase needs.

NetApp Insights to Action
I2A Banner