Hi,

if you have completely disabled NTLM and you want to a mount a cifs share by an DNS alias you have to set an Service Principal Name for the alias at the computerobject.


Let us assume the hostname is server01.myDomain.org and the alias/cname is fileshare.mydomain.org.

D:> setspn -S host/fileshare server01
D:> setspn -S host/fileshare.mydomain.org server01

Add the aliases as allowed Servernames. Seperate the items by \0.

D:> reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" /v "SrvAllowedServerNames" /t REG_MULTI_SZ /d "fileshare\0fileshare.mydomain.org" /f

If an access denied error occures look for EventID 5168 in the security log (Auditing must be enabled).

This is also possible for IP Addresses

, but this must be enabled an the client computer.

D:> reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Kerberos\Parameters" /v TryIPSPN /t REG_DWORD /d 1 /f

D:> setspn -S host/10.10.200.100 server01

Michael