ONTAP 9

to Japanese version

Configure Active Directory domain controller access overview

You must configure AD domain controller access to the cluster or SVM before an AD account can access the SVM. If you have already configured a SMB server for a data SVM, you can configure the SVM as a gateway, or tunnel, for AD access to the cluster. If you have not configured an SMB server, you can create a computer account for the SVM on the AD domain.

ONTAP supports the following domain controller authentication services:

  • Kerberos

  • LDAP

  • Netlogon

  • Local Security Authority (LSA)

ONTAP supports the following session key algorithms for secure Netlogon connections:

Session key algorithm

Available in…​

HMAC-SHA256, based on the Advanced Encryption Standard (AES)

ONTAP 9.10.1 and later

DES and HMAC-MD5 (when strong key is set)

All ONTAP 9 releases

If you want to use AES session keys during Netlogon secure channel establishment, you need to verify that AES is enabled on your SVM.

Beginning with ONTAP 9.14.1, AES is enabled by default when you create an SVM, and you don’t need to modify the security settings of your SVM to use AES session keys during Netlogon secure channel establishment.

In ONTAP 9.10.1 through 9.13.1, AES is disabled by default when you create an SVM. You need to enable AES using the following command:

cifs security modify -vserver vs1 -aes-enabled-for-netlogon-channel true

The default is “false”.

In ONTAP releases earlier than 9.10.1, if the domain controller enforces AES for secure Netlogon services, the connection fails. The domain controller must be configured to accept strong key connections with ONTAP in these releases.

Configure an authentication tunnel

If you have already configured a SMB server for a data SVM, you can use the security login domain-tunnel create command to configure the SVM as a gateway, or tunnel, for AD access to the cluster.

Before you begin
  • You must have configured a SMB server for a data SVM.

  • You must have enabled an AD domain user account to access the admin SVM for the cluster.

  • You must be a cluster administrator to perform this task.

Beginning with ONTAP 9.10.1, if you have an SVM gateway (domain tunnel) for AD access, you can use Kerberos for admin authentication if you have disabled NTLM in your AD domain. In earlier releases, Kerberos was not supported with admin authentication for SVM gateways. This functionality is available by default; no configuration is required.

Kerberos authentication is always attempted first. In case of failure, NTLM authentication is then attempted.
Step
  1. Configure a SMB-enabled data SVM as an authentication tunnel for AD domain controller access to the cluster:

    security login domain-tunnel create -vserver svm_name

    For complete command syntax, see the worksheet.

    The SVM must be running for the user to be authenticated.

    The following command configures the SMB-enabled data SVM “engData” as an authentication tunnel.

    cluster1::>security login domain-tunnel create -vserver engData

Create an SVM computer account on the domain

If you have not configured an SMB server for a data SVM, you can use the vserver active-directory create command to create a computer account for the SVM on the domain.

About this task

After you enter the vserver active-directory create command, you are prompted to provide the credentials for an AD user account with sufficient privileges to add computers to the specified organizational unit in the domain. The password of the account cannot be empty.

Before you begin

You must be a cluster or SVM administrator to perform this task.

Step
  1. Create a computer account for an SVM on the AD domain:

    vserver active-directory create -vserver SVM_name -account-name NetBIOS_account_name -domain domain -ou organizational_unit

    For complete command syntax, see the worksheet.

    The following command creates a computer account named “ADSERVER1” on the domain “example.com” for SVM “engData”. You are prompted to enter the AD user account credentials after you enter the command.

    cluster1::>vserver active-directory create -vserver engData -account-name ADSERVER1 -domain example.com
    
    In order to create an Active Directory machine account, you must supply the name and password of a Windows account with sufficient privileges to add computers to the "CN=Computers" container within the "example.com" domain.
    
    Enter the user name: Administrator
    
    Enter the password:
Top of Page