Nondisruptive operations for Hyper-V over SMB require that the CIFS server on a data SVM and the Hyper-V server permit both Kerberos and NTLMv2 authentication. You must verify settings on both the CIFS server and the Hyper-V servers that control what authentication methods are permitted.
Kerberos authentication is required when making a continuously available share connection. Part of the Remote VSS process uses NTLMv2 authentication. Therefore, connections using both authentication methods must be supported for Hyper-V over SMB configurations.
The following settings must be configured to allow both Kerberos and NTLMv2 authentication:
Both Kerberos and NTLMv2 authentication are always enabled on SVMs, but export policies can be used to restrict access based on authentication method.
Prior to Data ONTAP 8.2, configuring export policies for SMB access was a requirement. Export policies control what types of authentication are allowed when accessing data using NAS protocols.
Starting with Data ONTAP 8.2 and later releases, export policies for SMB are optional and are disabled by default. If export policies are disabled, both Kerberos and NTLMv2 authentication are allowed on a CIFS server by default.
Kerberos authentication is enabled by default on Active Directory domains. However, NTLMv2 authentication can be disallowed, either using Security Policy settings or Group Policies.
The following commands verify that export policies for SMB are disabled on SVM vs1:
cluster1::> set -privilege advanced Warning: These advanced commands are potentially dangerous; use them only when directed to do so by technical support personnel. Do you wish to continue? (y or n): y cluster1::*> vserver cifs options show -vserver vs1 -fields vserver,is-exportpolicy-enabled vserver is-exportpolicy-enabled -------- ----------------------- vs1 false cluster1::*> set -privilege admin
