14 - NAS File System Local Accounts - Use NTLM Authentication with CIFS Workgroups


Beginning with ONTAP 9, you can configure a CIFS server in a workgroup with CIFS clients that authenticate to the server by using locally defined users and groups. Workgroup client authentication provides an additional layer of security to the ONTAP solution that is consistent with a traditional domain authentication posture. To configure the CIFS server, use the vserver cifs create command. After the CIFS server is created, you can join it to a CIFS domain or join it to a workgroup. To join a workgroup, use the -workgroup parameter. Here is an example configuration:

cluster1::> vserver cifs create -vserver vs1 -cifs-server CIFSSERVER1 -workgroup Sales

Note: A CIFS server in workgroup mode supports only Windows NT LAN Manager (NTLM) authentication and does not support Kerberos authentication.


NetApp recommends using the NTLM authentication function with CIFS workgroups to maintain your organization's security posture. To validate the CIFS security posture, NetApp recommends using the vserver cifs session show command to display numerous posture-related details, including IP information, the authentication mechanism, the protocol version, and the authentication type.

See Also