Skip to main content

Configure strong security for Kerberos-based communication by using AES encryption

Contributors netapp-forry netapp-thomi

For strongest security with Kerberos-based communication, you can enable AES-256 and AES-128 encryption on the SMB server. By default, when you create a SMB server on the SVM, Advanced Encryption Standard (AES) encryption is disabled. You must enable it to take advantage of the strong security provided by AES encryption.

Kerberos-related communication for SMB is used during SMB server creation on the SVM, as well as during the SMB session setup phase. The SMB server supports the following encryption types for Kerberos communication:

  • AES 256

  • AES 128

  • DES

  • RC4-HMAC

If you want to use the highest security encryption type for Kerberos communication, you should enable AES encryption for Kerberos communication on the SVM.

When the SMB server is created, the domain controller creates a computer machine account in Active Directory. At this time, the KDC becomes aware of the encryption capabilities of the particular machine account. Subsequently, a particular encryption type is selected for encrypting the service ticket that the client presents to the server during authentication.

Beginning with ONTAP 9.12.1, you can specify which encryption types to advertise to the Active Directory (AD) KDC. You can use the -advertised-enc-types option to enable recommended encryption types, and you can use it to disable weaker encryption types. Learn how to enable and disable encryption types for Kerberos-based communication.

Note

Intel AES New Instructions (Intel AES NI) is available in SMB 3.0, improving on the AES algorithm and accelerating data encryption with supported processor families.Beginning with SMB 3.1.1, AES-128-GCM replaces AES-128-CCM as the hash algorithm used by SMB encryption.