Network Reshare and Kerberos authentication

In order for Mac users using Kerberos to access SMB/CIFS reshares through Access Connect, delegation must be enabled in Active Directory. If your environment requires Kerberos authentication, you will need to update the Active Directory computer object for any Windows servers that are running Access Connect. The Access Connect server must be given permission to present delegated credentials to the SMB server on behalf of your users.

To enable Kerberos authentication:

  1. Open Active Directory Users and Computers and locate the Windows server that you have Access Connect installed on. It is commonly found in the Computers folder.
  2. Right-click on the Access Connect server and select Properties.
  3. Open the Delegation tab.
  4. Select “Trust this computer for delegation to specified services only”.
  5. Select “Use any authentication protocol”, this is required for negotiation with the SMB server.
  6. You must now add any Windows servers or NAS devices that you would like your users to be able to access through reshare. Click Addto search for these Windows computers in AD and add them. Select only the “cifs” service type.
  7. Repeat these steps for all Access Connect servers for which you want to enable Kerberos authentication.

Note: It may take 15 to 20 minutes for these changes to propagate through the Active Directory forest.

Configurations for the Access Connect dedicated AD account:

Configuring the permissions

  1. Open Active Directory Users and Computers and locate the Access Connect dedicated account.
  2. Right-click on it and select Properties.
  3. Open the Security tab and press Add.
  4. Enter the name of the Access Connect dedicated account and press OK.
  5. Select the dedicated account and press Advanced.
  6. Press Add and enter the name of the dedicated account again and press OK.
  7. On the Permissions Entry For window, select This object only for the Apply to field.
  8. Select the Allow box for Write all permissions and press OK.
  9. Close all open dialogs by pressing OK.

Configuring the delegation

  1. Open Active Directory Users and Computers and locate the Access Connect dedicated account.
  2. Right-click on it and select Properties.
  3. Open the Delegation tab.
  4. Select the Trust this user for delegation to specified services only radio button and the Use any authentication button.
  5. Press Add and enter the name of the machine where Access Connect is installed.
  6. Select cifs and press OK.
  7. Press Apply and close all remaining dialogs.