如果为Kerberos禁用AES、则会记录KDC事件ID 16
适用场景
- ONTAP 9
- CIFS
- Windows密钥分发中心(KDC)
问题描述
- 由于缺少对AES加密类型"Aes128-CTS-HMAC-SHA1-96"十七日 和"AES256-CTS-HMAC-SHA1-96"(18):的Kerberos支持,源Microsoft-Windows-Kerberos Key-Distribution-Center中的事件ID 16 (
KDCEVENT_NO_KEY_INTERSECTION_TGS
)记录在一个或多个KDC上:
示例
While processing a TGS request for the target server cifs/netappcifs, the account user@DOMAIN.COM did not have a suitable key for generating a Kerberos ticket (the missing key has an ID of 8). The requested etypes were 18 17. The accounts available etypes were 23 -133 -128 18 17. Changing or resetting the password of NETAPPCIFS will generate a proper key.
- 使用
vserver cifs security show
确定当前配置:
cluster::> vserver cifs security show -vserver netappcifs -fields is-aes-encryption-enabled
vserver is-aes-encryption-enabled
---------- -------------------------
netappcifs false