Table of ContentsView in Frames

Enabling or disabling AES encryption for Kerberos-based communication

To take advantage of the strongest security with Kerberos-based communication, you can enable AES-256 and AES-128 encryption on the CIFS server. If you do not want the CIFS server to select the AES encryption types for Kerberos-based communication with the Active Directory (AD) KDC, you can disable AES encryption. By default, AES encryption is disabled.

About this task

To enhance security, the Storage Virtual Machine (SVM) changes its machine account password in the AD each time the AES security option is modified. Changing the password might require administrative AD credentials for the organizational unit (OU) that contains the machine account.

Steps

  1. Perform one of the following actions:
    If you want the AES encryption types for Kerberos communication to be... Enter the command...
    Enabled vserver cifs security modify -vserver vserver_name -is-aes-encryption-enabled true
    Disabled vserver cifs security modify -vserver vserver_name -is-aes-encryption-enabled false
  2. Verify that AES encryption is enabled or disabled as desired: vserver cifs security show -vserver vserver_name -fields is-aes-encryption-enabled
    The is-aes-encryption-enabled field displays true if AES encryption is enabled and false if it is disabled.

Example

The following example enables the AES encryption types for the CIFS server on SVM vs1:

cluster1::> vserver cifs security modify -vserver vs1 -is-aes-encryption-enabled true

cluster1::> vserver cifs security show -vserver vs1 -fields is-aes-encryption-enabled
vserver  is-aes-encryption-enabled
-------- -------------------------
vs1      true

The following example enables the AES encryption types for the CIFS server on SVM vs2. The administrator is prompted to enter the administrative AD credentials for the OU containing the CIFS server:

cluster1::> vserver cifs security modify -vserver vs2 -is-aes-encryption-enabled true

Info: In order to enable CIFS AES encryption, the password for the CIFS server 
machine account must be reset. Enter the username and password for the 
CIFS domain "EXAMPLE.COM". 

Enter your user ID: administrator 

Enter your password: 


cluster1::> vserver cifs security show -vserver vs2 -fields is-aes-encryption-enabled
vserver  is-aes-encryption-enabled
-------- -------------------------
vs2      true