Skip to content

Commit bbf60ba

Browse files
b-ahibbardb-ahibbard
committed
ANF-53379: encryption order
1 parent 4bb8d0e commit bbf60ba

File tree

1 file changed

+14
-12
lines changed

1 file changed

+14
-12
lines changed

articles/azure-netapp-files/create-active-directory-connections.md

Lines changed: 14 additions & 12 deletions
Original file line numberDiff line numberDiff line change
@@ -6,7 +6,7 @@ author: b-hchen
66
ms.service: azure-netapp-files
77
ms.custom: devx-track-azurepowershell
88
ms.topic: how-to
9-
ms.date: 05/09/2025
9+
ms.date: 07/10/2025
1010
ms.author: anfdocs
1111
# Customer intent: As an Azure NetApp Files administrator, I want to create and manage Active Directory connections, so that I can enable proper authentication and access control for my SMB and NFS volumes.
1212
---
@@ -32,6 +32,19 @@ Several features of Azure NetApp Files require that you have an Active Directory
3232

3333
* The AD connection admin account supports Kerberos AES-128 and Kerberos AES-256 encryption types for authentication with AD DS for Azure NetApp Files computer account creation (for example, AD domain join operations).
3434

35+
* To enable AES encryption, you should first enable AES-128, AES-256, RC4, and DES encryption types on Active Directory (AD) then enable AES on the control plane. You must enable encryption in Active Directory first.
36+
37+
* To enable AES encryption support for the admin account in the AD connection, run the following Active Directory PowerShell commands:
38+
39+
```powershell
40+
Get-ADUser -Identity <ANF AD connection account username>
41+
Set-ADUser -KerberosEncryptionType <encryption_type>
42+
```
43+
44+
`KerberosEncryptionType` is a multivalued parameter that supports the values DES, RC4, AES-128, and AES-256.
45+
46+
For more information, refer to the [Set-ADUser documentation](/powershell/module/activedirectory/set-aduser).
47+
3548
* To enable the AES encryption on the Azure NetApp Files AD connection admin account, you must use an AD domain user account that is a member of one of the following AD DS groups:
3649
3750
* Domain Admins
@@ -46,17 +59,6 @@ Several features of Azure NetApp Files require that you have an Active Directory
4659
4760
If you set both AES-128 and AES-256 Kerberos encryption on the admin account of the AD connection, the Windows client negotiates the highest level of encryption supported by your AD DS. For example, if both AES-128 and AES-256 are supported, and the client supports AES-256, then AES-256 will be used.
4861
49-
* To enable AES encryption support for the admin account in the AD connection, run the following Active Directory PowerShell commands:
50-
51-
```powershell
52-
Get-ADUser -Identity <ANF AD connection account username>
53-
Set-ADUser -KerberosEncryptionType <encryption_type>
54-
```
55-
56-
`KerberosEncryptionType` is a multivalued parameter that supports AES-128 and AES-256 values.
57-
58-
For more information, refer to the [Set-ADUser documentation](/powershell/module/activedirectory/set-aduser).
59-
6062
* If you have a requirement to enable and disable certain Kerberos encryption types for Active Directory computer accounts for domain-joined Windows hosts used with Azure NetApp Files, you must use the Group Policy `Network Security: Configure Encryption types allowed for Kerberos`.
6163
6264
Do not set the registry key `HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\Kerberos\Parameters\SupportedEncryptionTypes`. Doing this will break Kerberos authentication with Azure NetApp Files for the Windows host where this registry key was manually set.

0 commit comments

Comments
 (0)