Properties of AD Connection User for Azure Netapp Files

Question

I need to set up an ANF account with several volumes that will need to be mounted on Windows 2022 servers. I believe I understand most of the configuration that I need except for the active directory connection, specifically the user. In fact I'm pretty sure that I understand how to make it work, but I need to ask some questions to check my understanding and make sure I am making the right decisions.

1. I think I understand the need for access to AD: ANF needs to be able to create entities to represent the volumes it is sharing. Why is this done with a username and password though? Isn't this kind of application to application authorization usually done with a service principal? Or am I missing something?
2. Does ANF store the login credentials or use them once to grab a token and subsequently use that for authorization with AD? More to the point, if a particular user is used to set up the ANF-AD connection and that use is later removed from the directory, will ANF lose the access it needs to function?

I would appreciate any advice here. The examples I can find online mostly handwave questions about what kind of user account should be used for this function.

Answer 1

@Jay Bloodworth Welcome to Microsoft Q&A Forum, Thank you for posting your query here!

It sounds like you're on the right track with setting up your ANF account and understanding the Active Directory (AD) connection. Let's address your questions one by one:

Why is this done with a username and password instead of a service principal?

• The Azure NetApp Files (ANF) AD connection admin account must be an AD DS domain user account in the same domain where the Azure NetApp Files computer accounts are created. This account must have the permission to create computer accounts (for example, AD domain join) in the AD DS organizational unit path specified in the Organizational unit path option of the AD connection[1]. This is why a username and password are used instead of a service principal.

Does ANF store the login credentials or use them once to grab a token and subsequently use that for authorization with AD?

ANF uses the credentials to create computer accounts in AD DS. The AD connection admin account supports Kerberos AES-128 and AES-256 encryption types for authentication with AD DS for Azure NetApp Files computer account creation[1]. This means that the credentials are used to establish the connection and perform necessary operations.

If a particular user is used to set up the ANF-AD connection and that user is later removed from the directory, will ANF lose the access it needs to function?

Yes, if the user account used to set up the ANF-AD connection is removed from the directory, ANF will lose the access it needs to function. It is important to ensure that the user account remains active and has the necessary permissions to maintain the connection

For more detailed guidance, you can refer to the Microsoft Learn article on creating and managing Active Directory connections for Azure NetApp Files Create and manage Active Directory connections for Azure NetApp Files | Microsoft Learn

Answer 2

Hi Jay Bloodworth,

Thank you for posting in the Q&A Forums.

1. Why use username and password to connect to AD?

While service subjects (such as those in Azure AD) are a common authentication method in cloud environments, usernames and passwords are still a commonly used authentication method in scenarios that integrate with local AD. This is because many local AD environments have not yet fully migrated to a cloud identity management solution or continue to use traditional username and password authentication for security, compatibility, and ease of management reasons.

In the context of ANF integration with AD, usernames and passwords are used to establish a trust relationship that allows the ANF service to create and manage the necessary entities in AD (e.g., computer accounts and security descriptors for volumes) in order to properly share and manage storage volumes.

2. How does ANF handle stored login credentials?

ANF does not store plaintext passwords over time. Instead, it uses these credentials to establish an initial connection to the AD and may use them to obtain the necessary tokens or keys for subsequent authentication and authorization. Once a trust relationship has been established, the ANF may use more secure mechanisms (such as Kerberos tickets) to communicate with the AD on an ongoing basis.

3. If a user in the AD is deleted, does the ANF lose access?

If the AD user account used to establish the connection between the ANF and the AD is deleted, the ANF may lose the ability to communicate with the AD because it loses valid authentication credentials. This may result in the ANF being unable to properly manage or share storage volumes because it can no longer interact with AD as necessary.

To avoid this, it is recommended:

Use a dedicated AD user account to configure ANF integration with AD, rather than using a personal user account.

Ensure that this user account has the appropriate permissions in AD to perform the necessary actions.

Monitor the status of this user account and update or replace it as necessary.

Best regards

NeuviJ

============================================

If the Answer is helpful, please click "Accept Answer" and upvote it.