On VMware vSphere 6.7, you can use NFS 4.1 datastores to benefit from Kerberos authentication (krb5 or krb5i).
This was not the case with NFS 3 which was not secure and therefore had to be used on a separate network for security reasons.

However, using NFS 4.1 requires some prerequisites compared to NFS 3.

1. Advantages and disadvantages of NFS 4.1
   1. Advantages of NFS 4.1
   2. Disadvantages of NFS 4.1
   3. Compatibility with NFS 4.1
2. Configuring DNS on the desired VMware ESXi host
3. Synchronize your VMware ESXi host clock with your domain controller
4. Join the VMware ESXi host to your Active Directory domain (to use Kerberos authentication)
5. Configure Kerberos authentication for NFS 4.1
6. Install an NFS server
7. Create an NFS 4.1 share on Windows Server 2016
8. Create an NFS 4.1 datastore from the VMware vSphere Client
9. Mount an NFS 4.1 datastore on a 2nd VMware ESXi host
10. Unmount an NFS 4.1 datastore from the VMware vSphere Client

1. Advantages and disadvantages of NFS 4.1

1.1. Advantages of NFS 4.1

The main advantages of NFS 4.1 are:

• Kerberos authentication (which allows NFS to be used securely) unlike NFS v3 where no authentication is necessary.
• multipathing (which increases performance)

1.2. Disadvantages of NFS 4.1

The main disadvantages of NFS 4.1 are that it requires more configuration and that some vSphere features are not supported as with NFS 3.

1.3. Compatibility with NFS 4.1

NFS 3 and NFS 4.1 are compatible with these VMware vSphere features:

• vMotion and Storage vMotion: hot or cold virtual machine migration (in summary).
• High Availability (HA): high availability.
• Fault Tolerance (FT): allows you to perform fault tolerance by keeping an up-to-date copy of your virtual machines to be able to restore it in the event of a crash of the source VMware ESXi host where your VM was running.
• Distributed Resource Scheduler (DRS): allows you to distribute the workload based on available resources.
• Host Profiles: allows you to configure multiple hosts at once using a host profile.
• Virtual Volumes: allows you to use virtual disk containers for storage (vSAN).
• vSphere Replication: allows you to create a backup environment by also replicating all your virtual machines.
• vRealize Operations Manager: allows you to manage your physical, virtual and cloud infrastructure (including your VMs, ...) centrally.

However, these features will not be supported if you use NFS 4.1:

• Storage DRS: allows you to balance the I/O load on the datastores of a cluster.
• Storage I/O Control: helps avoid latency on your datastores by limiting I/O if the only defined limit is exceeded.
• Site Recovery Manager: allows you to create a disaster recovery plan.

Warning : the locking system used by NFS 3 is not the same as under NFS 4.1.
So do not try to create an NFS 3 share on your NFS server to mount it in NFS 4.1 on VMware vSphere (or vice versa), as this could create problems and data corruption.

Source : NFS Protocols and ESXi - VMware Docs.

2. Configuring DNS on the desired VMware ESXi host

To use NFS 4.1 securely, you need Kerberos authentication.

For this to be possible, it is first necessary that:

• the host on which you want to add an NFS 4.1 datastore is linked to an Active Directory domain.
• your VMware ESXi host is configured to use your local DNS server (where the DNS zone for your Active Directory domain is located).
• your host's clock is synchronized with that of your Active Directory domain controller.

Sources :

• Configure ESXi Hosts for Kerberos Authentication - VMware Docs
• Using Kerberos for NFS 4.1 - VMware Docs

To do this, select the desired VMware ESXi host and go to: Configure -> Networking -> TCP/IP configuration.
Next, select the "Default" TCP/IP stack and click: Edit.

In the "Default - Edit TCP/IP Stack Configuration" window that appears, make sure that the preferred DNS server matches the IP address of your Active Directory domain controller (or your local DNS server which knows the DNS zone of your AD domain).
Preferably, also indicate your Active Directory domain name in the "Domain" and "Search domains" fields.

Do the same on other VMware ESXi hosts on which you want to mount NFS 4.1 datastores.

3. Synchronize your VMware ESXi host clock with your domain controller

For the Kerberos authentication required for the NFS 4.1 protocol to work correctly, it is essential that the clock of your VMware ESXi host is synchronized with that of your domain controller.
To do this, select your VMware ESXi host and go to "Configure -> System -> Time Configuration".
Then click: Edit.

Important : a difference of more than 5 minutes between the 2 clocks will cause Kerberos authentication problems and therefore problems when adding or using your NFS 4.1 datastores.

In the "Edit Time Configuration" window that appears, select "Use Network Time Protocol (Enable NTP client)" and fill in the proposed fields:

• NTP Servers: the IP address of your Active Directory domain controller.
  If you have several Active Directory domain controllers, make sure that the one indicated is the one with the FSMO role "PDC emulator (Primary Domain Controller emulator)".
• NTP Service Status: check the "Start NTP Service" box.
• NTP Service Startup Policy: Start and stop with host.

Your VMware ESXi host is now configured to synchronize its clock with that of your Active Directory domain controller.

Do the same on other hosts where you want to use NFS 4.1 datastores.

4. Join the VMware ESXi host to your Active Directory domain (to use Kerberos authentication)

Now that the previous prerequisites have been configured, you can join your VMware ESXi host to your Active Directory domain.
To do this, select your VMware ESXi host and go to "Configure -> System -> Authentication Services" and click: Join domain.

Specify the domain name you want to join, then select the "Using credentials" option and provide the credentials that have the necessary rights to join a computer or server to your Active Directory domain.
In our case, we will use the administrator of our Active Directory domain.

• User name: Administrator@informatiweb.lan.
• Password: his password.

Once your host is joined to your Active Directory domain, you will see that the directory service type is "Active Directory" and you will see your domain name appear in the "Domain Settings" section.

Do the same thing on your other VMware ESXi hosts if necessary.

5. Configure Kerberos authentication for NFS 4.1

For Kerberos authentication used by the NFS 4.1 protocol, you can use an existing account or create a single user on your Active Directory domain controller.
In our case, we created a simple user named: ESXi_NFS_User.

Next, in the VMware vSphere Client, select your VMware ESXi host and go to "Configure -> System -> Authentication Services".
At the bottom of the page, you'll find a "NFS Kerberos Credentials" section.
Click the "Edit" button on the right.

In the "Edit NFS Kerberos Credentials" window that appears, specify:

• Username: a user from your Active Directory who also has the necessary rights to your NFS share.
  Note: we will create this NFS share later in this tutorial.
• Password: this user's password.
• Confirm password: same.

Warning : as noted here, credentials specified here will not be tested.
This information will only be used when you attempt to add an NFS 4.1 datastore to your VMware ESXi host by enabling Kerberos authentication.

As you can see, the NFS Kerberos authentication status is now enabled and the desired username appears.

Again, do this same configuration on other hosts where you want to use NFS 4.1 datastores, if applicable.

6. Install an NFS server

In business, you will use a NAS supporting the NFS 4.1 protocol.
However, in a test environment, you can install an NFS server on Linux or preferably on Windows Server (as is the case here).

In our case, we installed an NFS server under Windows Server 2016.
To do this, open Server Manager, then launch the Add Roles and Features Wizard.
In the "Server Roles" step, deploy the "File and Storage Services -> File and iSCSI Services" node and check the "Server for NFS" box.

Once the NFS server is installed, go to the "File and Storage Services" section of the Server Manager.

Next, in the "Servers" section, right-click "NFS Settings" on the name of your NFS server.

As you can see in the "Protocol Versions" section, Windows Server 2016 supports NFS versions 2, 3 and 4.1.