search

NetAppDocs / ontap

https://docs.netapp.com/us-en/ontap/
28 stars 75 forks source link

description of setup regarding kerberos is missing importance of PTR records and does not mention TryIPSPN feature. #1248

Open Saturnous opened 9 months ago

Saturnous commented 9 months ago

Page URL

https://docs.netapp.com/us-en/ontap/antivirus/install-ontap-antivirus-connector-task.html

Page title

Install ONTAP Antivirus Connector

Summary

When Kerberos authentication is required for Vscan servers, each SVM data LIF must have a unique DNS name registered as PTR-Record and Host-A entry. This DNS name must also be registered as a server principal name (SPN) in SVMs computer account within the Windows Active Directory. On scan servern running windows server 2016 and newer it is also possible to register the IPv4 addresses as SPN and enable Kerberos over IP on the scanserver by running following command on a elevatet shell.

reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Kerberos\Parameters" /v TryIPSPN /t REG_DWORD /d 1 /f

https://learn.microsoft.com/en-us/windows-server/security/kerberos/configuring-kerberos-over-ip

Public issues must not contain sensitive information

netapp-ehoffman commented 9 months ago

@Saturnous , are you a NetApp employee? If so, can you share your user name for additional discussion? Thanks!