Set SPN if Kerberos authentication not works or if using an DNS alias for a CIFS Share on NetApp

Our example CIFS SVM has the name SVM1 and is joined in Active Directory with the CIFS name SVM1 as well. We then need a DNS alias for CIFS access which is CIFSSHARES.DOMAIN.LOCAL.

# We had to set the Service Principal Name if the use of a DNS alias like in the example is needed or the output for the cifs sessions shows NTLM2 instead of Kerberos:

Node: NODE1
Vserver: SVM1
Session ID: 1
Connection ID: 12984403
Incoming Data LIF IP Address: 192.168.1.10
Workstation IP address: 192.168.50.101
Authentication Mechanism: NTLMv2
Windows User: DOMAIN\USER
UNIX User: pcuser
Open Shares: 1
Open Files: 0
Open Other: 0
Connected Time: 1d 14h 16m 52s
Idle Time: 28s
Protocol Version: SMB2_1
Continuously Available: No
Is Session Signed: false

# The SPN can be set and viewed with the setspn.exe utility on the domain controller servers like this:

setspn.exe -A HOST/CIFSSHARES SVM1

setspn.exe -A HOST/CIFSSHARES.DOMAIN.LOCAL SVM1

C:\Users\administrator.DOMAIN>setspn.exe -l SVM1
Registered ServicePrincipalNames for CN=SVM1,CN=Computers,DC=DOMAIN,DC=LOCAL:
HOST/CIFSSHARES.DOMAIN.LOCAL
HOST/CIFSSHARES
HOST/SVM1.DOMAIN.LOCAL
HOST/SVM1

# After setting the correct SPN entry the output of cifs sessions should be like this:

Node: NODE1
Vserver: SVM1
Session ID: 1
Connection ID: 263802468
Incoming Data LIF IP Address: 192.168.1.10
Workstation IP address: 192.168.50.101
Authentication Mechanism: Kerberos
Windows User: DOMAIN\USER
UNIX User: pcuser
Open Shares: 5
Open Files: 11
Open Other: 0
Connected Time: 3h 25m 46s
Idle Time: 35s
Protocol Version: SMB2_1
Continuously Available: No
Is Session Signed: false

Reference Site from NetApp:
https://kb.netapp.com/support/index?page=content&id=1013601&pmv=print&impressions=false

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s