With NFS version 4.1, ESXi supports Kerberos authentication mechanism.

Kerberos is an authentication service that allows an NFS 4.1 client installed on ESXi to prove its identity to an NFS server before mounting an NFS share. Kerberos uses cryptography to work across an insecure network connection. The vSphere implementation of Kerberos for NFS 4.1 supports only identity verification for the client and server, but does not provide data integrity or confidentiality services.

When you use Kerberos authentication, the following considerations apply:

  • ESXi uses Kerberos version 5 with Active Directory domain and Key Distribution Center (KDC).

  • As a vSphere administrator, you specify Active Directory credentials to provide an access to NFS 4.1 Kerberos datastores to an NFS user. A single set of credentials is used to access all Kerberos datastores mounted on that host.

  • When multiple ESXi hosts share the same NFS 4.1 datastore, you must use the same Active Directory credentials for all hosts that access the shared datastore. You can automate this by setting the user in host profiles and applying the profile to all ESXi hosts.

  • NFS 4.1 does not support simultaneous AUTH_SYS and Kerberos mounts.

  • NFS 4.1 with Kerberos does not support IPv6. Only IPv4 is supported.