Kerberos is the default authentication mechanism for SMB access, while NTLMv2 is supported as a failover authentication scenario, as in Windows SMB servers.
Among the requirements for successful authentication via Kerberos are:
-
That the user is logged into the same Active Directory domain to which the VAST Cluster is joined.
-
That the client connects using a hostname and not an IP address.
-
HOST SPN attributes configured in the VAST Cluster's AD machine account.
In case Kerberos authentication requirements are not met, such as that the user is not logged into the right AD domain or there are no HOST SPN attributes, VAST Cluster supports client failover to NTLMv2 authentication.
NTLMv2 authentication will work even when:
-
The client connects using an IP address rather than a hostname.
-
The client host is not logged into the AD domain to which the cluster is joined, although the user must authenticate to the AD domain to which the VAST Cluster is joined. Credentials for the user's account on that domain must be supplied manually.
However, please note:
-
Performance during session establishment is lower with NTLM than with Kerberos. This could have a noticeable impact in a high load situation, such as a large number of employees establishing access to a share at the start of a working day.
-
The compute load on the cluster should always be balanced across the CNodes. it is therefore not advisable to connect to the VAST cluster over individual CNode VIPs. If the VAST DNS service is enabled, clients should instead connect to the appropriate DNS name associated with the relevant VIP pool. This will allow for proper distribution of clients across CNodes within the pool. For information about the DNS server, see DNS-Based VIP Distribution.
Comments
0 comments
Article is closed for comments.