If you use NFS 4.1 with Kerberos, you must perform several tasks to set up your hosts for Kerberos authentication.

When multiple ESXi hosts share the same NFS 4.1 datastore, you must use the same Active Directory credentials for all hosts that access the shared datastore. You can automate this by setting the user in host profiles and applying the profile to all ESXi hosts.

Make sure that Microsoft Active Directory (AD) and NFS servers are configured to use Kerberos.

Enable DES-CBC-MD5 encryption mode on AD. The NFS 4.1 client supports only this encryption mode.

Make sure that the NFS server exports are configured to grant full access to the Kerberos user.


When you use NFS 4.1 with Kerberos, you must change the DNS settings on ESXi hosts to point to the DNS server that is configured to hand out DNS records for the Kerberos Key Distribution Center (KDC). For example, use the Active Directory server address, if AD is used as a DNS server.


If you use NFS 4.1 with Kerberos, configure Network Time Protocol (NTP) to make sure all ESXi hosts on the vSphere network are synchronized.


If you use NFS 4.1 storage with Kerberos, you must add each ESXi host to an Active Directory domain and enable Kerberos authentication. Kerberos integrates with Active Directory to enable single sign-on and provides an additional layer of security when used across an insecure network connection.

After you configure your host for Kerberos, you can create an NFS 4.1 datastore with Kerberos enabled.