ONTAP 9 Manuals ( CA08871-402 )

Configure Active Directory domain controller access overview

You must configure AD domain controller access to the cluster or SVM before an AD account can access the SVM. If you have already configured a SMB server for a data SVM, you can configure the SVM as a gateway, or tunnel, for AD access to the cluster. If you have not configured an SMB server, you can create a computer account for the SVM on the AD domain.

ONTAP supports the following domain controller authentication services:

  • Kerberos

  • LDAP

  • Netlogon

  • Local Security Authority (LSA)

ONTAP supports the following session key algorithms for secure Netlogon connections:

Session key algorithm

Available beginning with…​

HMAC-SHA256, based on the Advanced Encryption Standard (AES)

If your cluster is running ONTAP 9.9.1 or earlier and your domain controller enforces AES for secure Netlogon services, the connection fails. In this case, you need to reconfigure your domain controller to instead accept strong key connections with ONTAP.

ONTAP 9.10.1

DES and HMAC-MD5 (when strong key is set)

All ONTAP 9 releases

If you want to use AES session keys during Netlogon secure channel establishment, you need to verify that AES is enabled on your SVM.

  • Beginning with ONTAP 9.14.1, AES is enabled by default when you create an SVM, and you don’t need to modify the security settings of your SVM to use AES session keys during Netlogon secure channel establishment.

  • In ONTAP 9.10.1 through 9.13.1, AES is disabled by default when you create an SVM. You need to enable AES using the following command:

    cifs security modify -vserver vs1 -aes-enabled-for-netlogon-channel true
When you upgrade to ONTAP 9.14.1 or later, the AES setting for existing SVMs that were created with older ONTAP releases will not automatically change. You still need to update the value for this setting to enable AES on these SVMs.

Configure an authentication tunnel

If you have already configured a SMB server for a data SVM, you can use the security login domain-tunnel create command to configure the SVM as a gateway, or tunnel, for AD access to the cluster.

Before you begin
  • You must have configured a SMB server for a data SVM.

  • You must have enabled an AD domain user account to access the admin SVM for the cluster.

  • You must be a cluster administrator to perform this task.

Beginning with ONTAP 9.10.1, if you have an SVM gateway (domain tunnel) for AD access, you can use Kerberos for admin authentication if you have disabled NTLM in your AD domain. In earlier releases, Kerberos was not supported with admin authentication for SVM gateways. This functionality is available by default; no configuration is required.

Kerberos authentication is always attempted first. In case of failure, NTLM authentication is then attempted.
Step
  1. Configure a SMB-enabled data SVM as an authentication tunnel for AD domain controller access to the cluster:

    security login domain-tunnel create -vserver svm_name

    For complete command syntax, see the worksheet.

    The SVM must be running for the user to be authenticated.

    The following command configures the SMB-enabled data SVM “engData” as an authentication tunnel.

    cluster1::>security login domain-tunnel create -vserver engData

Create an SVM computer account on the domain

If you have not configured an SMB server for a data SVM, you can use the vserver active-directory create command to create a computer account for the SVM on the domain.

About this task

After you enter the vserver active-directory create command, you are prompted to provide the credentials for an AD user account with sufficient privileges to add computers to the specified organizational unit in the domain. The password of the account cannot be empty.

Before you begin

You must be a cluster or SVM administrator to perform this task.

Step
  1. Create a computer account for an SVM on the AD domain:

    vserver active-directory create -vserver SVM_name -account-name NetBIOS_account_name -domain domain -ou organizational_unit

    For complete command syntax, see the worksheet.

    The following command creates a computer account named “ADSERVER1” on the domain “example.com” for SVM “engData”. You are prompted to enter the AD user account credentials after you enter the command.

    cluster1::>vserver active-directory create -vserver engData -account-name ADSERVER1 -domain example.com
    
    In order to create an Active Directory machine account, you must supply the name and password of a Windows account with sufficient privileges to add computers to the "CN=Computers" container within the "example.com" domain.
    
    Enter the user name: Administrator
    
    Enter the password:
Top of Page