Workflow for Enabling Client Protocol Access

  • Updated on Feb 3, 2026
  • 5 minute(s) read
Prev Next

To enable client users to access and write data to the cluster using any supported combination of access protocols, follow all steps described below for the cluster-side configuration:

For client-side configurations and usage of specific features, see the protocol-specific sections:

Configure Network Access

If not yet configured, you will need to configure virtual IP (VIP) pools. Virtual IP pools provide interfaces that can be used to access the cluster by client protocols.

You should also configure DNS forwarding to the virtual IP pools. It's recommended to use the VAST Cluster DNS Service. See DNS-Based Virtual IP Distribution.

For all details relating to virtual IP pool and DNS Service configuration, see Configuring Network Access.

Configure Providers

Configure authorization/authentication providers.

Read about multiple provider support and client protocol combinations, and how to connect to each provider here: Managing Users.

(Optional) Configure Tenants

If you would like to deploy multiple tenants, where each tenant has its own isolated data path and can have separate network access and provider, you can create tenants, associate them with different virtual IP pools and configure provider usage per tenant. For details, see Tenants.

(For Kerberos Only) Configure Active Directory SPNs for VAST Cluster DNS Service Domains

Kerberos authentication is used to authenticate all SMB client connections to the cluster. Similarly, Kerberos authentication is supported and typically used for NFSv4.1 client connections to the cluster.

When clients use Kerberos authentication, the mount request must specify the cluster using a DNS name rather than an IP address.

Note

In the event that you choose to enable NFSv4.1 client access without Kerberos authentication, client mount requests can specify a virtual IP address, provided they do not mount with Kerberos.

In order for the Kerberos protocol to be able to access the cluster and authenticate the NFSv4.1 or SMB service, the cluster's machine object in Active Directory must be configured with NFS/ and HOST/ type Service Principal Name (SPN) attributes (respectively for NFSv4.1 and SMB) for each FQDN that resolves to the IPs configured to provide network access to the cluster.

The default configuration enables clients to mount views specifying the cluster by the specific DNS name <cluster_machine_account_name>.<Active Directory domain name>, provided that this DNS name resolves to VIPs on the cluster. In the event that you are not using the VAST DNS service and your DNS server delegates requests for the above DNS name to all VIPs, you don't need to add any SPNs.

Assuming the VAST Cluster DNS service is enabled, you need to add SPN attributes to the machine account in Active Directory for the DNS service domain names that are configured for the VIP pools.

Add the following:

  • For NFSv4.1, for each virtual IP pool, add one SPN attribute with the following format:

    NFS/<VIP Pool Domain Name>.<DNS Service Suffix>

  • For SMB, for each virtual IP pool, add one SPN attribute with the following format:

    HOST/<VIP Pool Domain Name>.<DNS Service Suffix>
                    

In which:

  • <VIP Pool Domain Name> is the domain name value set in each virtual IP pool.

  • <DNS Service Suffix> is the domain suffix configured in DNS service settings.

For example, supposing you have the following configuration:

  • One delegation rule on your central DNS server forwarding all requests for cluster.mycorp.com to the VAST DNS server.

  • The DNS Service enabled with DNS Service Suffix set to cluster.mycorp.com.

  • Three virtual IP pools with virtual IP pool domain names:

    VIP Pool

    VIP Pool Domain Name

    vippool1

    domain1

    vippool2

    domain2

    vippool3

    domain3

In this case, in order to enable clients to mount views using NFSv4.1 with Kerberos, you'll need to add the following SPN attributes to the cluster's machine account in Active Directory:

  • NFS/domain1.cluster.mycorp.com

  • NFS/domain2.cluster.mycorp.com

  • NFS/domain3.cluster.mycorp.com

One way to add SPNs to an Active Directory domain is to use the Active Directory Users and Computers MMC:

  1. On the Active Directory server machine, open the Active Directory Users and Computers MMC.

  2. Under View, select Advanced Features.

  3. Select Computers and in the left pane, locate the cluster's machine account object.

  4. Right-click the object and select Properties.

  5. Select the Attribute Editor tab and edit the servicePrincipalName attribute.

  6. Add the entries.

  7. Click OK in the editor and the properties dialogs as needed to save the entries.

Ensure Provider Users Have Required Attributes

In order for users to be authorized correctly, they must have the correct attributes defined on the provider:

Users' memberships of any additional groups besides their default group should be defined in the provider.

NFSv3 and NFSv4.1 Users and Groups

For users to be able to access the cluster by NFSv3 or NFSv4.1, user entries must have the following attributes on an external provider domain:

  • uidNumber, defining the user's NFS user ID as used by Linux/UNIX.

  • gidNumber, defining the user's default (leading) NFS group ID as used by Linux/UNIX.

Similarly, each group entry should have a gidNumber entry, to define the NFS group ID of the group.

Adding NFS Attributes to Active Directory User and Group Entries

One way you can update Active Directory user and group entries is via the Microsoft Management Console (MMC):

  1. On the Active Directory server machine, open the MMC and select Active Directory Users and Computers.

  2. From the View menu, select Advanced Features.

  3. For each user and group object, open the object and select the Attributes Editor tab. (This editor may need to be installed.)

  4. Verify or fill the uidNumber attribute for users and the gidNumber attribute for both users and groups.

Note

We hope the above procedure is helpful. In the event that the above procedure does not match your Microsoft operating system interface exactly, please seek the exact procedure in Microsoft's documentation.

SMB Users and Groups

A user entry will automatically have a SID (Security Identifier), which is a unique identifier that Active Directory uses to identify objects as security principal.

Group memberships can be marked either by a member entry in each group that contains the user or by a memberOf entry in the user entry for each group that contains the user. This is known as "nested groups".

S3 Users

There is no need to add special attributes to providers for S3 users, since they are authorized via their access key pairs which must be issued via VMS. For a user to be matched to user entries on external providers, the access key pair needs to be generated by first querying providers for the user name and then issuing the key pair, as explained here. Once that is done, the user will be matched correctly to file permissions set by any protocol. S3 ACLs can specify users as <username>@<domain> or by a VAST ID as explained here. The user name should match the user name for the relevant user entry on the providers.

Database Users

Follow these guidelines to set up a database owner user.

Configure a View Policy

Create or modify the view policies you will need for the protocols you wish to use concurrently on a view. See Creating View Policies.

Create Views

Views enable access to specific paths for specified protocols or combinations. See Creating Views.

Related articles