Authentication for SMB Access

  • Updated on Jan 30, 2026
  • Published on Jan 28, 2026
  • 2 minute(s) read
Prev Next

Kerberos is the default authentication mechanism for SMB access, while NTLMv2 is supported as a failover authentication scenario, as in Windows SMB servers.

Kerberos Authentication Requirements

Among the requirements for successful authentication via Kerberos are the following:

  • The user is logged into the same Active Directory domain to which VAST Cluster has joined.

  • The client connects using a hostname and not an IP address.

  • HOST SPN attributes are configured in the VAST Cluster's Active Directory machine account.

If Kerberos authentication requirements are not met, for example, if the user is not logged into the cluster's joined  domain or there are no HOST SPN attributes, VAST Cluster supports client failover to NTLMv2 authentication.

NTLMv2 Authentication as Failover

NTLMv2 authentication will work even when:

  • The client connects using an IP address rather than a hostname.

  • The client host is not logged into the cluster's joined domain. In this case, credentials for the user's account on that domain must be supplied manually.

NTLM authentication will NOT work if it has been disabled for the VAST cluster in the cluster's Active Directory settings (in VAST Web UI: Users -> Active Directory).

Take into account the following performance considerations:

  • Performance during session establishment is lower with NTLM than with Kerberos. This could have a noticeable impact in a high-load situation, such as a large number of users establishing access to a share at the start of a working day.

  • The compute load on the cluster should always be balanced across the CNodes. it is therefore not advisable to connect to the VAST cluster over individual CNode VIPs. If the VAST DNS service is enabled, clients should instead connect to the appropriate DNS name associated with the relevant VIP pool. This will allow for proper distribution of clients across CNodes within the pool. For information about the DNS server, see DNS-Based Virtual IP Distribution.DNS-Based VIP Distribution

Using Kerberos/NTLM Authentication To Authorize Users from Non-Trusting Domains

A tenant can be configured to authorize SMB client access by using user and group information supplied in the user's Kerberos or NTLM ticket, rather than by retrieving that data in Active Directory. This option is beneficial in one-way trust environments where VAST Cluster is not allowed to run LDAP queries against some domains.

To enable or disable this feature:

  • In VAST Web UI, open tenant's settings (Element Store -> Tenants -> choose to create or edit a tenant) and in the General tab, toggle Use SMB native authentication on or off.

  • In VAST CLI, use the --enable-use-smb-native and --disable-use-smb-native options on the tenant create or tenant modify commands.

Note that this setting applies only to SMB users that are authenticated through Kerberos or NTML. All other users are authorized based on the Group Membership Source setting in the applicable view policy.

Related articles
  • Authentication for SMB Access
    VAST Cluster > Version 5.2 > VAST Cluster 5.2 Administrator's Guide > Managing Access Protocols > SMB File Sharing Protocol
  • Authentication for SMB Access
    VAST Cluster > Version 5.0 > VAST Cluster 5.0 Administrator's Guide > Managing Access Protocols > SMB File Sharing Protocol
  • Authentication for SMB Access
    VAST Cluster > Version 5.4 > VAST Cluster 5.4 Administrator's Guide > Managing Access Protocols > SMB File Sharing Protocol