With security vulnerabilities like CVE-2022-26925 using NTLM would open up relay attacks on the domain controllers (DC), so it is not recommended to use NTLM authentication for Windows clients to remote network shares like File Gateway SMB shares. You can use Kerberos authentication with Active Directory to mitigate the risks with NTLM. To use Kerberos, you need to set Service Principal Name (SPN) in Active Directory. Clients can get the Kerberos tickets from DC based on the SPN.
Service Principal Name (SPN) :
Referring from the Microsoft documentation here :
An SPN is a unique identifier that applications can use to request a service ticket instead of using the service account name. The Kerberos protocol implementation in Windows uses the SPN to retrieve a valid service account from Active Directory. In other words, an SPN is another type of identifier that can be assigned to an account in Active Directory.
You can set the SPN to a hostname which has A record, and also to the IPv4 address in Windows server 2016 and later versions. In this article, I will use hostname FQDN for SPN. I will also show the steps to configure hostname on the File Gateway local console.
Configure Hostname on File Gateway local console:
Connect to you Gateway local console, depending on the hypervisor type, you can use the instructions here to connect to your gateway local console. I am using the EC2 hosted file gateway, and once connected to local console through SSH or through EC2 Serial Console, you would see the console as below. Select 2 : Network Configuration
Next, select 3: Configure Hostname . Under Hostname Configuration, select 1:Static for hostname acquisition mode. Then, provide hostname under Enter new static hostname and select y for Apply configuration.
Next, connect to your DNS server and create A record pointing the above hostname to its IP address 172.31.24.5. You can refer here to create an A record for the above hostname.
Verify and Set SPN :
When you join file gateway to domain, a default SPN with Storage Gateway computer object which is its ID(SGW-1234ABCD) will be created. It is recommended to have a unique SPN for a specific computer object and remove any duplicates. You can run the following commands from any Windows client command prompt that is joined to your AD domain.
- You can get the existing SPN using the following command.
$setspn -Q HOST/SGW-ABCD1234 - Remove the existing/duplicates SPN using the following command.
$setspn -D HOST/SGW-ABCD1234SGW-ABCD1234 - Create a new SPN to the hostname using the following command.
$setspn -S HOST/fgw.example.com SGW-ABCD1234
That completes the setting the SPN for the file gateway computer object. You can change the Local Security Policy on the individual client or apply Group Policy Object, and change Network security: Restrict NTLM: Outgoing NTLM traffic to remote servers to Deny All as below.
To further validate and confirm that Kerberos authentication is being used, you can take a packet capture using Wireshark. You can apply capture filter as host fgw.example.com and then run the net use command or map the file share using map network drive wizard. If you look into the Session Setup Request, under SMB2 header, under Security Blob, you can see Kerberos tickets and session setup request, and in similar in next Session Setup Response.
Nice article! Very useful!