In order for Mac users using Kerberos to access SMB/CIFS reshares through Access Connect, delegation must be enabled in Active Directory. If your environment requires Kerberos authentication, you will need to update the Active Directory computer object for any Windows servers that are running Access Connect. The Access Connect server must be given permission to present delegated credentials to the SMB server on behalf of your users.
To enable Kerberos authentication:
Open Active Directory Users and Computers and locate the Windows server that you have Access Connect installed on. It is commonly found in the Computers folder.
Note: If the computer object for the server that is running Access Connect is not located in the default “Computers” container in Active Directory, it is necessary to edit the ActiveDirectoryComputers registry key so the Access Connect service can construct the correct distinguished name for the Access Connect server's computer object.
Once the key is configured, restart the Access Connect service and proceed with the steps below. If the Access Connect server's computer object is in the default “Computers” container, there is no need to configure this key and you can proceed with the steps below.
Right-click on the Access Connect server and select Properties.
Open the Delegation tab.
Select “Trust this computer for delegation to specified services only”.
Select “Use any authentication protocol”, this is required for negotiation with the SMB server.
You must now add any Windows servers or NAS devices that you would like your users to be able to access through reshare. Click Add… to search for these Windows computers in AD and add them. Select only the “cifs” service type.
Repeat these steps for all Access Connect servers for which you want to enable Kerberos authentication.
Note: It may take 15 to 20 minutes for these changes to propagate through the Active Directory forest.
Configurations for the Access Connect dedicated AD account:
Configuring the permissions
Open Active Directory Users and Computers and locate the Access Connect dedicated account object.
Right-click on it and select Properties.
Open the Security tab and press Advanced.
Note: The Security tab may not appear until Active Directory Users & Computers > View > Advanced Features is enabled
Enter the name of the Access Connect dedicated account object and press OK.
Press Add and enter the name of the dedicated account object again and press OK.
On the Permissions Entry For window, select This object only for the Apply to field.
Select the Allow box for Write All properties and press OK.
Close all open dialogs by pressing OK.
Restart the Access Connect File and Print Server service.
Make sure that the Allow Kerberos Logons checkbox is enabled before proceeding with the next section. You can find it in the Access Connect Administrator - > Settings -> File Server.
Configuring the delegation
Open Active Directory Users and Computers and locate the Access Connect dedicated account.
Right-click on it and select Properties.
Open the Delegation tab.
Select the Trust this user for delegation to specified services only radio button and the Use any authentication button.
Press Add and enter the name of the machine where Access Connect is installed.