Verifying that both Kerberos and NTLMv2 authentication are permitted (Hyper-V over SMB shares)
Nondisruptive operations for Hyper-V over SMB require that the CIFS server on a data SVM and the Hyper-V server permit both Kerberos and NTLMv2 authentication. You must verify settings on both the CIFS server and the Hyper-V servers that control what authentication methods are permitted.
About this task
Kerberos authentication is required when making a continuously available share connection. Part of the Remote VSS process uses NTLMv2 authentication. Therefore, connections using both authentication methods must be supported for Hyper-V over SMB configurations.
The following settings must be configured to allow both Kerberos and NTLMv2 authentication:
Export policies for SMB must be disabled on the storage virtual machine (SVM).
Both Kerberos and NTLMv2 authentication are always enabled on SVMs, but export policies can be used to restrict access based on authentication method.
Export policies for SMB are optional and are disabled by default. If export policies are disabled, both Kerberos and NTLMv2 authentication are allowed on a CIFS server by default.
The domain to which the CIFS server and Hyper-V servers belong must permit both Kerberos and NTLMv2 authentication.
Kerberos authentication is enabled by default on Active Directory domains. However, NTLMv2 authentication can be disallowed, either using Security Policy settings or Group Policies.
Example
The following commands verify that export policies for SMB are disabled on SVM vs1:
cluster1::> set -privilege advanced
Warning: These advanced commands are potentially dangerous; use them
only when directed to do so by technical support personnel.
Do you wish to continue? (y or n): y
cluster1::*> vserver cifs options show -vserver vs1 -fields vserver,is-exportpolicy-enabled
vserver is-exportpolicy-enabled
-------- -----------------------
vs1 false
cluster1::*> set -privilege admin