AES support for SMB

File Services Administration Guide for Hitachi NAS Platform

Version
14.7.x
14.6.x
Audience
anonymous
Part Number
MK-92HNAS006-29

Windows Vista and Windows Server 2008 introduced support for the Kerberos AES crypto profiles, in addition to the older crypto profiles (DES/DES3 and RC4) already implemented in earlier Windows versions.

The SMB implementation supports the new AES crypto profiles. The supported AES crypto profiles are:
  • AES256: HMAC-SHA1-96 (the default if AES is supported)
  • AES128: HMAC-SHA1-96. To force AES-128 encryption:
    • Configure the DC only: Set msDS-SupportedEncryptionType 0x8 = (AES128_CTS_HMAC_SHA1_96).
    • Run klist purge on the client.
Note: Windows Server 2008 or higher is required.
Note: The cifs-keytab-list command can be used to display the encryption types supported by a CIFS name.
Configuration to Support AES with Existing CIFS Names (created on 12.2 or earlier)
  • No configuration is required for existing CIFS names. AES is automatically enabled on upgrade to 12.3 or later.
  • However, configuration is required on the DC for existing CIFS names. AES must be added to the supported encryption types list of existing CIFS names computer accounts.
Configuration to Support AES with New CIFS Names (create on 12.3 or later)
  • No configuration is required for newly created CIFS names.
Note: The client credentials cache should be purged if the Kerberos configuration is changed on either the DC or clients (for example, to change the supported encryption types list). On windows clients this can be done using: klist purge.
Upgrades and downgrades
  • For an upgrade (from a 12.2 or earlier to a 12.3 or later) , AES must be added to the supported encryption types of existing CIFS name DC computer accounts.
  • For a downgrade (from a 12.3 or later to a 12.2 or earlier), AES must be removed from the supported encryption types of DC computer accounts for CIFS names that were created with 12.3 or later, or had AES explicitly enabled as per the above upgrade consideration. Otherwise, SMB authentication will fall back to NTLM.