#Setting up multiple KDC servers in Ontap 9.7?

Im setting up kerberos auth to get around the NTLM issue but im struggling to figure out how to have multiple domain controllers as KDCs since we need one to pickup when the other is unavailable
any help would be greatly appreciated

wait... I think what you're doing there is setting up Kerberos for Kerberized NFS... Which has nothing to do with Kerberos as it is used in AD?

uh...I would agree.

so yeah, you can't get around "the NTLM issue" by trying to configure an additional KDC ... You need to update ONTAP or switch your clients to use Kerberos instead of NTLM (e.g. by adding SPNs for IP addresses, not using accounts from domains that are not trusted to your AD, etc., depending on the reason the clients switched to NTLM)

so we deployed kerberos as advised by the KB article and looks to be working successfully but its not possable to configure another KDC for high availability ?

Each CIFS server performs domain discovery every 4 hours by default, and that should return a list of Domain Controllers to use for a given domain, not just a single Domain Controller. You can modify/disable domain discovery, if desired, but I am not seeing that you need that at this point, or understanding why you believe it is necessary. You can see the discovered domain controllers by running the "vserver cifs domain discovered-servers show" command.

yes because the KDC setup you did has nothing to do with CIFS 😉

Also, if you read carefully, the highlighted section says "ensure that clients utilize kerberos", so if you still have NTLM sessions from one particular client (I assume the 192.168.200.1 but I'm not sure since you painted over the auth-mechanism column for whatever reason) you need to fix the client, not ONTAP...

Ahhh thanks

I think there's generally a big misunderstanding around the coming changes and NTLM authentication. The requirement is that NTLM authentication with Microsoft Domain Controllers is signed and sealed. NTLM (hopefully NTLMv2) authentication with the NetApp controller has no such requirement and since it forwards all such NTLM(v2) requests to the DC's as signed and sealed (when properly patched), what the NAS client does isn't affected by the change if it doesn't interact with a DC

i do agree that using Kerberos is probably a better idea and it limits the number of "bad" clients that have access to CIFS services.

it will probably break a lot of poor quality applications that use some older form of samba to move files (commercial printers that scan to NAS, for example).

So as long as the NetApp is patched, NTLM will still work, since: a client requests a CIFS Share, NetApp will request from the DC authentication. It will send this request from the NetApp to the DC as signed/sealed, therefore it will allow access. Is this correct?