Windows: Enable Share access for alias/cname or IP address with kerberos

Hi,

if you have completely disabled NTLM and you want to a mount a cifs share by an DNS alias you have to set an Service Principal Name for the alias at the computerobject.


Let us assume the hostname is server01.myDomain.org and the alias/cname is fileshare.mydomain.org.

D:> setspn -S host/fileshare server01
D:> setspn -S host/fileshare.mydomain.org server01

Add the aliases as allowed Servernames. Seperate the items by \0.

D:> reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" /v "SrvAllowedServerNames" /t REG_MULTI_SZ /d "fileshare\0fileshare.mydomain.org" /f

If an access denied error occures look for EventID 5168 in the security log (Auditing must be enabled).

This is also possible for IP Addresses, but this must be enabled an the client computer.

D:> reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Kerberos\Parameters" /v TryIPSPN /t REG_DWORD /d 1 /f
D:> setspn -S host/10.10.200.100 server01

Michael

Leave a Reply