For strongest security with Kerberos-based communication, you can enable AES-256 and AES-128 encryption on the CIFS server. By default, when you create a CIFS server on the Storage Virtual Machine (SVM), AES encryption is disabled. You must enable it to take advantage of the strong security provided by AES encryption.
Kerberos-related communication for CIFS is used during CIFS server creation on the SVM, as well as during the SMB session setup phase. The CIFS server supports the following encryption types for Kerberos communication:
If you want to use the highest security encryption type for Kerberos communication, you should enable AES encryption for Kerberos communication on the SVM.
When the CIFS server is created, the domain controller creates a computer machine account in Active Directory. At this time, the KDC becomes aware of the encryption capabilities of the particular machine account. Subsequently, a particular encryption type is selected for encrypting the service ticket that the client presents to the server during authentication.