You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: articles/azure-netapp-files/kerberos.md
+3-3Lines changed: 3 additions & 3 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -252,7 +252,7 @@ In most cases, knowing detailed steps in depth isn't necessary for day-to-day ad
252
252
| operatingSystem | NetApp Release |
253
253
|`dnsHostName`| ANF-XXXX.CONTOSO.COM |
254
254
255
-
- If the `addRequest` fails, the volume creation fail. An `addRequest` can fail due to [incorrect permissions](create-active-directory-connections#requirements-for-active-directory-connections.md) on the container object.
255
+
- If the `addRequest` fails, the volume creation fail. An `addRequest` can fail due to [incorrect permissions](create-active-directory-connections.md#requirements-for-active-directory-connections) on the container object.
256
256
- If the `addRequest` succeeds, an LDAP search using the filter (`sAMAccountName=ANF-XXXX$`) is performed to retrieve the objectSid attribute.
257
257
- An SMB2 "Negotiate protocol" conversation is performed to retrieve the supported Kerberos [`mechTypes`](/openspecs/windows_protocols/ms-spng/f663e38f-f4c8-4ed8-9bfe-51772e667116) from the KDC.
258
258
- An SMB2 "Session setup" using the CIFS SPN and highest supported `mechType` and a "Tree connect" to IPC$ is performed.
@@ -351,15 +351,15 @@ When an Azure NetApp Files volume is mounting using Kerberos, a Kerberos ticket
351
351
When Azure NetApp Files creates an SMB server using a naming convention of [SMB Server prefix specified in AD connection configuration]-[unique numeric identifier]. (For details about the unique numeric identifier, see [SMB Kerberos machine account](#smb-kerberos-machine-account)).
352
352
This formatting means SMB server names aren't constructed in a user-friendly way. For instance, a name of "SMB-7806" is harder to remember than something similar to "AZURE-FILESHARE."
353
353
354
-
Because of this behavior, administrators may want to create user-friendly alias names for Azure NetApp Files volumes. Doing this requires pointing a [DNS canonical name (CNAME)](/microsoft-365/admin/dns/create-dns-records-using-windows-based-dns?view=o365-worldwide#add-cname-records) to the existing DNS A/AAAA record in the server.
354
+
Because of this behavior, administrators may want to create user-friendly alias names for Azure NetApp Files volumes. Doing this requires pointing a [DNS canonical name (CNAME)](/microsoft-365/admin/dns/create-dns-records-using-windows-based-dns#add-cname-records) to the existing DNS A/AAAA record in the server.
355
355
356
356
When a CNAME is created and used in UNC path requests (for example, `\\AZURE-FILESHARE` instead of `\\SMB-7806`), DNS redirect the CNAME request (AZURE-FILESHARE.contoso.com) to the proper A/AAAA record (SMB-7806.contoso.com), which is used in the Kerberos SPN retrieval (cifs/SMB-7806). This allows Kerberos access to the SMB share while using the aliased name.
357
357
358
358
If a DNS A/AAAA record is created (for instance, AZURE-FILESHARE.contoso.com) and attempted to be used as an alias, Kerberos requests fail. The failure is the result of the constructed SPN used to authenticate to the share (cifs/AZURE-FILESHARE) not matching what the Kerberos SPN is for the SMB server (cifs/SMB-7806). The failure can be mitigated if another [SPN is created](/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc731241(v=ws.11)) and appended to the SMB server machine account (such as cifs/AZURE-FILESHARE).
359
359
360
360
### Supported SMB server capabilities in Azure NetApp Files
361
361
362
-
When the SMB "negotiate protocol" request is made, the Azure NetApp Files SMB server is queried for support of specific capabilities. The table below shows the capabilities queried and the response returned from an Azure NetApp Files SMB volume when a [Session Setup/Tree connect](#SMB-share-connection-workflow-Kerberos) is performed.
362
+
When the SMB "negotiate protocol" request is made, the Azure NetApp Files SMB server is queried for support of specific capabilities. The table below shows the capabilities queried and the response returned from an Azure NetApp Files SMB volume when a [Session Setup/Tree connect](#smb-share-connection-workflow-kerberos) is performed.
363
363
364
364
| SMB capability | Supported by Azure NetApp Files? |
0 commit comments