With NFS version 4.1, ESXi supports the Kerberos authentication mechanism. The ESXi implementation of Kerberos for NFS 4.1 provides two security models, krb5 and krb5i, that offer different levels of security.

The RPCSEC_GSS Kerberos mechanism is an authentication service. It allows an NFS 4.1 client installed on ESXi to prove its identity to an NFS server before mounting an NFS share. The Kerberos security uses cryptography to work across an insecure network connection.

The ESXi implementation of Kerberos for NFS 4.1 provides two security models, krb5 and krb5i, that offer different levels of security.
  • Kerberos for authentication only (krb5) supports identity verification.
  • Kerberos for authentication and data integrity (krb5i), in addition to identity verification, provides data integrity services. These services help to protect the NFS traffic from tampering by checking data packets for any potential modifications.

Kerberos supports cryptographic algorithms that prevent unauthorized users from gaining access to NFS traffic. The NFS 4.1 client on ESXi attempts to use either the AES256-CTS-HMAC-SHA1-96 or AES128-CTS-HMAC-SHA1-96 algorithm to access a share on the NAS server. Before using your NFS 4.1 datastores, make sure that AES256-CTS-HMAC-SHA1-96 or AES128-CTS-HMAC-SHA1-96 are enabled on the NAS server.

The following table compares Kerberos security levels that ESXi supports.

Type of Kerberos Security ESXi Support
Kerberos for authentication only (krb5) Integrity checksum for RPC header Yes with AES
Integrity checksum for RPC data No
Kerberos for authentication and data integrity (krb5i) Integrity checksum for RPC header Yes with AES
Integrity checksum for RPC data Yes with AES
When you use Kerberos authentication, the following considerations apply:
  • ESXi uses Kerberos with the Active Directory domain.
  • As a vSphere administrator, you specify Active Directory credentials to provide access to NFS 4.1 Kerberos datastores for an NFS user. A single set of credentials is used to access all Kerberos datastores mounted on that host.
  • When multiple ESXi hosts share the NFS 4.1 datastore, you must use the same Active Directory credentials for all hosts that access the shared datastore. To automate the assignment process, set the user in host profiles and apply the profile to all ESXi hosts.
  • You cannot use two security mechanisms, AUTH_SYS and Kerberos, for the same NFS 4.1 datastore shared by multiple hosts.

Configure ESXi Hosts for Kerberos Authentication

If you use NFS 4.1 with Kerberos, you must perform several tasks to set up your hosts for Kerberos authentication.

When multiple ESXi hosts share the NFS 4.1 datastore, you must use the same Active Directory credentials for all hosts that access the shared datastore. You can automate the assignment process by setting the user in host profiles and applying the profile to all ESXi hosts.

Prerequisites

  • Make sure that Microsoft Active Directory (AD) and NFS servers are configured to use Kerberos.
  • Enable AES256-CTS-HMAC-SHA1-96 or AES128-CTS-HMAC-SHA1-96 encryption modes on AD. The NFS 4.1 client does not support the DES-CBC-MD5 encryption mode.
  • Make sure that the NFS server exports are configured to grant full access to the Kerberos user.

Configure DNS for NFS 4.1 with Kerberos

When you use NFS 4.1 with Kerberos, you must change the DNS settings on ESXi hosts. The settings must point to the DNS server that is configured to hand out DNS records for the Kerberos Key Distribution Center (KDC). For example, use the Active Directory server address if AD is used as a DNS server.

Procedure

  1. In the vSphere Client, navigate to the ESXi host.
  2. Click the Configure tab.
  3. Under Networking, click TCP/IP configuration.
  4. Select Default and click the Edit icon.
  5. Manually enter the DNS settings.
    Option Description
    Domain AD Domain Name
    Preferred DNS server AD Server IP
    Search domains AD Domain Name

Configure Network Time Protocol for NFS 4.1 with Kerberos

If you use NFS 4.1 with Kerberos, ESXi hosts, the NFS server, and the Active Domain server need to be time synchronized. Typically, in the setup the Active Domain server is used as the Network Time Protocol (NTP) server.

The following task describes how to synchronize the ESXi host with the NTP server.

The best practice is to use the Active Domain server as the NTP server.

Procedure

  1. In the vSphere Client, navigate to the ESXi host.
  2. Click the Configure tab.
  3. Under System, select Time Configuration.
  4. Click Edit and set up the NTP server.
    1. Select Use Network Time Protocol (Enable NTP client).
    2. To synchronize with the NTP server, enter its IP addresses.
    3. Select Start NTP Service.
    4. Set the NTP Service Startup Policy.
  5. Click OK.
    The host synchronizes with the NTP server.

Enable Kerberos Authentication in Active Directory

If you use NFS 4.1 storage with Kerberos, you must add each ESXi host to an Active Directory domain and enable Kerberos authentication. Kerberos integrates with Active Directory to enable single sign-on and provides an extra layer of security when used across an insecure network connection.

Prerequisites

Set up an AD domain and a domain administrator account with the rights to add hosts to the domain.

Procedure

  1. In the vSphere Client, navigate to the ESXi host.
  2. Click the Configure tab.
  3. Under System, click Authentication Services.
  4. Add the ESXi host to an Active Directory domain.
    1. In the Authentication Services pane, click Join Domain.
    2. Supply the domain settings, and click OK.
    The directory services type changes to Active Directory.
  5. Configure or edit credentials for an NFS Kerberos user.
    1. In the NFS Kerberos Credentials pane, click Edit.
    2. Enter a user name and password.
      Files stored in all Kerberos datastores are accessed using these credentials.
    The state for NFS Kerberos credentials changes to Enabled.

What to do next

After you configure your host for Kerberos, you can create an NFS 4.1 datastore with Kerberos enabled.