Introduction
Foldr uses NTLM as its default authentication type between the Foldr server and the backend file server when presenting SMB shares to users. Foldr server update 10.10.0.0 (6th May 2025) includes support for Kerberos authentication for SMB shares.
This is useful in environments where IT administrators are looking to harden their network environment by disabling NTLM.
Requirements
- The Kerberos realm / Active Directory domain has been configured in Foldr Settings > Single Sign On > Kerberos. Note Kerberos SSO does NOT need to be enabled for this feature to work.
- Share paths in Foldr are configured fully-qualified, or where non-fully qualified paths are configured, a suitable Search Domain is configured in the Appliance > Network tab
- Share paths are not configured using the IP address of the SMB server
- User passwords are being vaulted on the server
Enabling Kerberos Authentication for SMB
1. Firstly ensure the domain is configured in Foldr Settings > Single Sign On > Kerberos
Click Save Changes
2. If short / non-fully qualified share paths are being presented to users (Active Directory home folders or those configured in Files & Storage), ensure a suitable Search Domain is configured in Appliance > Network
3. Ensure the SMB share is configured fully qualified
Note – A non-fully qualified shares may be used, providing a suitable Search Domain is configured (step 2). In this example a non-fully qualified path would be:
smb://server/marketing
4. Enable Kerberos authentication on the share. Click the Access tab in Foldr Settings > Files & Storage
5. Browse to the Advanced section and enable the toggle Use Kerberos for authentication
Click Save Changes
The configuration is now complete. The Foldr server will authenticate against the SMB share using Kerberos instead of NTLM.