Windows: Enable Share access for alias/cname or IP address with kerberos


if you have completely disabled NTLM and you want to a mount a cifs share by an DNS alias you have to set an Service Principal Name for the alias at the computerobject.

Let us assume the hostname is and the alias/cname is

D:> setspn -S host/fileshare server01
D:> setspn -S host/ server01

Add the aliases as allowed Servernames. Seperate the items by \0.

D:> reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" /v "SrvAllowedServerNames" /t REG_MULTI_SZ /d "fileshare\" /f

If an access denied error occures look for EventID 5168 in the security log (Auditing must be enabled).

This is also possible for IP Addresses, but this must be enabled an the client computer.

D:> reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Kerberos\Parameters" /v TryIPSPN /t REG_DWORD /d 1 /f
D:> setspn -S host/ server01


Advertisment to support

Leave a Reply

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.