I think you've got this a little sideways. The Isilon cluster is setup for Authentication via Active Directory. Active Directory is configured to authenticate the client either via Kerberos or NTLM (v1 or v2). With this security update MS15-027 applied, depending on how your clients authenticate to AD, they are unable to properly authenticate to the Isilon cluster.
So, it's not a change or configuration you need to check on the cluster, it's the allowed authentication in AD.
In our case, we mandate Kerberos only, but allow some clients to fallback to NTLM, as some are on networks that cannot reach timeservers, and others are on remote networks and have clock skew that prevent Kerberos (scientific data collection instruments). These clients are the ones we have to remediate, as they cannot reach the cluster to access user home directories at logon. Other clients that use Kerberos are not affected.
So I get from this that this issue solely resides with the AD domain controller? If the AD admin have configured policy that allow for some system to authenticate using any version of NTLM then those systems will NOT be able to access the Isilon cluster(s) if they (The Isilon cluster(s)) have not been patched with this new patch not yet been released? So for many clients using there windows 7 or 8 workstations they will not be effected by this? Only the legacy systems for the most part that only mode of authentication is NTLM? I think I got it. Just confirm for me .
Some AD environment don't enforce Kerberos-only, and will allow a client to negotiate down to NTLM v2 or even NTLM v1. It is these clients that are affected, if your Isilon cluster is not-yet patched with the soon-to-be released update. Until those clients authenticate via Kerberos or the cluster is updated, the clients cannot contact the cluster.
umichklewis
3 Apprentice
•
1.2K Posts
1
March 14th, 2015 06:00
I think you've got this a little sideways. The Isilon cluster is setup for Authentication via Active Directory. Active Directory is configured to authenticate the client either via Kerberos or NTLM (v1 or v2). With this security update MS15-027 applied, depending on how your clients authenticate to AD, they are unable to properly authenticate to the Isilon cluster.
So, it's not a change or configuration you need to check on the cluster, it's the allowed authentication in AD.
In our case, we mandate Kerberos only, but allow some clients to fallback to NTLM, as some are on networks that cannot reach timeservers, and others are on remote networks and have clock skew that prevent Kerberos (scientific data collection instruments). These clients are the ones we have to remediate, as they cannot reach the cluster to access user home directories at logon. Other clients that use Kerberos are not affected.
Let us know if that helps!
Karl
chjatwork
2 Intern
•
356 Posts
0
March 16th, 2015 04:00
Karl,
So I get from this that this issue solely resides with the AD domain controller? If the AD admin have configured policy that allow for some system to authenticate using any version of NTLM then those systems will NOT be able to access the Isilon cluster(s) if they (The Isilon cluster(s)) have not been patched with this new patch not yet been released? So for many clients using there windows 7 or 8 workstations they will not be effected by this? Only the legacy systems for the most part that only mode of authentication is NTLM? I think I got it. Just confirm for me
.
Thank you,
umichklewis
3 Apprentice
•
1.2K Posts
0
March 16th, 2015 05:00
Yes - that's exactly it!
Some AD environment don't enforce Kerberos-only, and will allow a client to negotiate down to NTLM v2 or even NTLM v1. It is these clients that are affected, if your Isilon cluster is not-yet patched with the soon-to-be released update. Until those clients authenticate via Kerberos or the cluster is updated, the clients cannot contact the cluster.
Hope this helps!
Karl