Configure Active Directory domain controller access overview


You must configure AD domain controller access to the cluster or SVM before an AD account can access the SVM. If you have already configured a SMB server for a data SVM, you can configure the SVM as a gateway, or tunnel, for AD access to the cluster. If you have not configured a SMB server, you can create a computer account for the SVM on the AD domain.

ONTAP supports the following domain controller authentication services:

  • Kerberos

  • LDAP

  • Netlogon

  • Local Security Authority (LSA)

ONTAP supports the following session key algorithms for secure Netlogon connections:

Session key algorithm Available in…​

HMAC-SHA256, based on the Advanced Encryption Standard (AES)

ONTAP 9.10.1 and later

DES and HMAC-MD5 (when strong key is set)

All ONTAP 9 releases

If you want to use AES session keys during Netlogon secure channel establishment in ONTAP 9.10.1 and later, you must enable them using the following command:

cifs security modify -vserver vs1 -aes-enabled-for-netlogon-channel true

The default is false.

In ONTAP releases earlier than 9.10.1, if the domain controller enforces AES for secure Netlogon services, the connection fails. The domain controller must be configured to accept strong key connections with ONTAP in these releases.