Last modified Jan, 25, 2017
Create a Kerberized cluster

Follow these procedures to set up a Kerberized ScaleArc cluster:

Make sure you have ScaleArc, Version 3.11.0.1 installed and running for this configuration. For Kerberos implementation on AWS click here.

 

Configure a hostname and VIP 

Kerberos authentication uses hostnames to identify machines and services in the domain. This requires a valid and unique hostname for the VIP on the ScaleArc machine. 

Create a hostname (DNS setup)

Follow these steps:

  1. Open DNS manager on the AD server.
  2. Navigate to the the domain name, and right click it.
  3. Select New Host from the drop down menu.

      

  4. Enter a new hostname; for example, scale-test. The FQDN for the record appears in the field. 



  5. Next, enter the IP address associated with the hostname. 
  6. Select "Create associated pointer (PTR) record". This creates a reverse name lookup record for the host.
  7. Click Add Host. At this time you should have both the forward and reverse lookup for the virtual IP set to hostname scale-test.

Configure VIP for Kerberos

This example configures a VIP for the Kerberized cluster. 

Follow these steps: 

  1. Click the Settings tab > Network Settings on the ScaleArc dashboard.



  2. Click Virtual IP.

     
     
  3. Select a subnet mask. 
  4. Enter the hostname that you created.

     
     
  5. Click Save.
  6. The address now appears on the screen. 

 

Configure Windows AD for delegation

ScaleArc supports constrained delegation in which a user's identity and credentials are passed along to explicitly-specified servers or services.

Prerequisites 

To configure ScaleArc to use constrained delegation, make sure you have the following:

  • Set the NTP server in ScaleArc to the one set on the Active Directory server of the KDC.
  • You have domain administrator account privileges.
  • Ensure that forward and reverse DNS lookup zones are configured correctly for SQL server and ScaleArc (all virtual IP's).
  • Check the DNS server, it should be the same as the one configured in Active Directory or the authentication server in the Kerberos environment (KDC).

Join ScaleArc as a machine account

Follow these steps to join ScaleArc as a machine account:

  1. Click the Settings tab > System Settings on the ScaleArc dashboard.



  2. Click the Windows AD Setup tab. 



  3. Select Machine Account. Then, complete the fields as follows:

    Field Description Default/User input
    Fully Qualified Domain Name (FQDN)

    The FQDN of the domain that you want the ScaleArc appliance to join. 

    Enter an appropriate domain name.
    Workgroup

    The workgroup that you want the ScaleArc appliance to join. 

    Enter a valid workgoup name.

    Active Directory (AD) Server

    The active directory server FQDN (fully qualified domain name) that the domain is configured on. Note that the server name should not include a trailing dot (".") at the end, unless you are using a valid DNS entry for the name. Enter the FQDN.
    Administrative username

    The username of the account that has the privilege to add the ScaleArc appliance to the domain as a machine account.

    Enter the username.
    Password

    The administrator password. 

    Enter the password.
    Advanced Settings The button to launch a screen for additional configurations. This setting appears only after you join. Click to open the related screen.

     

     

  4. Click Join to complete the set up. A successful join posts this dialog box. Click OK. Once connected, you can use Unjoin to leave the domain.



  5. Click Advanced Settings if you wish to add sub-domains. This is an optional setting.
  6. Enter one or more sub-domains and their corresponding AD servers. Click Add.


     
  7. The ScaleArc appliance shows up in the Active Directory Users and Computers console. This creates a machine account for the ScaleArc appliance, using the naming convention <hostname$>.

Set up Service Principal Name (SPN) for ScaleArc 

Next, set up SPN for ScaleArc. SPN is a unique identifier for a service on a network that uses Kerberos authentication. It consists of a service class, a host name, and a port. To create an SPN, use the SetSPN command line utility.

From the power shell, set up the Service Principal Name for ScaleArc on AD:

  1. Log into the Active Directory server as a user with domain administrator's privileges.
  2. From the power shell, set the service principal name for ScaleArc on AD. Remember to specify the port correctly. In this example, the cluster listens on port 1433. 

    Syntax
    Setspn -A MSSQLSvc/<VIP_Hostname>.<domainname>:<port><domain\ScaleArc hostname$> 
    
    Example	
    C:\>setspn -A MSSQLSvc/scale-test.krbs.com:1433 krbs\scale-pri$

Set up ScaleArc for delegation

  1. On the domain controller, access the Active Directory Users and Computers console.
  2. In the console tree, under Domain name, click Computers.

     
     
  3. Right-click the Web server, and then click Properties.
  4. On the Delegation tab, click Trust this computer for delegation to specified services only.
  5. Click Use any authentication protocol.  
  6. Click Add, and then click Users and Computers.

     

  7. Enter the domain user that has the necessary credentials to start and stop SQL services; then, click OK.



  8. From the Delegation tab, click Add. Then, click Users or Computers and enter the machine account name of the ScaleArc primary machine (for example, scale-pri$). Click Check Names and OK.



  9. Select the HOST and the MSSQLSvc service for the VIP created earlier. Press the Control key to select multiple entries. Click OK.



  10. The entries appear on the Delegation tab. Click Ok.



Create a cluster

You are now ready to create a Kerberized cluster in ScaleArc.

Define a cluster for Kerberos

Follow these steps:

  1. On the ScaleArc dashboard, click the Clusters tab > Add Cluster button. 
  2. Locate the Network section. This is the first panel on the Create Cluster screen.



  3. Fill in the fields with valid information
  4. Select the VIP address you created  with the hostname for the field labeled Cluster Virtual IP Address. 

    If you are a cloud customer you can use All IP to set up cluster. ScaleArc-based HA is not available in the cloud.

Provide database access

This is a two-step process:

Grant access to ScaleArc's machine account  

Follow these steps to grant minimum privileges to ScaleArc on SQL Server:

  1. From the machine running SQL Server, log in to SQL Management studio. 
  2. Connect to the server.
  3. Log in. Remember to add $ at the end of the login name. 


     

  4. Select the user. Right-click on properties.


     
     
  5. Under the Explicit tab, select the following permissions.
    1. View Any Definition.
    2. View Server status.
  6. Click OK.

Configure database access 

Follow these steps:

  1. On the ScaleArc dashboard, click the Clusters tab > Add Cluster button.
  2. Locate the Database Access section. This is the second panel on the Create Cluster screen.



  3. Configure the fields as follows:

    Field/Button
    Description
    Default/User input
    Use Kerberos authentication for ScaleArc administration

    Ensures that the entire cluster is running in a complete, Kerberos-authenticated mode. Note that when you select this option you do not need to enter username and password. Make sure you have set up minimum database privileges.

    If you deselect this option, you need to provide a username and password for ScaleArc to establish and administrate database connection using NTLM. Click here to review ScaleArc settings for Kerberos.

    This option is pre-selected if you have configured ScaleArc to join the domain as a machine account.

    Start Cluster After Setup Determines if the cluster automatically goes live, following setup. A selected checkbox results in a live cluster at setup. When deselected, you need to start the cluster manually. Default: Checkbox is pre-selected. 
    Select/Deselect checkbox.

     

     

  4. Next, configure SSL (optional) and and database servers for the cluster.

Verify Kerberos Authentication Offload

A fully-Kerberized cluster has the Kerberized Authentication Offload button set to ON when ScaleArc joins AD as a machine account and the Database Access option for Kerberos is pre-selected. Click here to review ScaleArc settings for Kerberos.

  1. Click Clusters > Status > Cluster Settings  in the ScaleArc dashboard.



  2. Select the ScaleArc tab.
  3. Locate the Kerberos Authentication Offload button. Note that it is ON.

 



On this page

 

Comments

  1. CSS
    2017-02-25 03:46

    Meera Holla - Please note that anything with ** is required / important to add. Rest are nice to have (improvements)

    1. Under "Configure Windows AD for delegation > Prerequisites"
      --  Set the NTP server in ScaleArc to the one set on the Active Directory server of the KDC.
      Add a note saying →  "It is advisable to set Maximum tolerance for computer clock synchronization to a value of 5 minutes." 

      --  Ensure that forward and reverse DNS lookup zones are configured correctly for SQL server and ScaleArc (all virtual IP's).
      ** ScaleArcs hostname must be all lower case and must avoid special characters such as underscore or period. 
    2. Join ScaleArc as a machine account
      -- 3) In the table
      Workgroup – Is the "Domain Netbios Name"
    3. Under Set up Service Principal Name (SPN) for ScaleArc 
      ** Must include below step as well
      SPN for AG Listener for AON setup using AG Listener
      Syntax
      Setspn -A MSSQLSvc/<AG LISTENER_Hostname>.<domainname>:<port><domain\domain admin user>
      Example 
      setspn -A MSSQLSvc/aglsnr.krbs.com:1433 krbs\cls

      -- Example presented here does not maintain the same domain name nomenclature as above
    4. Set up ScaleArc for delegation
      -- Point3)
      ** Should NOT be webserver, it is scalearc server
      -- point7)
      Has a step, "SELECT ALL > OK"
    5. Provide Database access
      ** This section should precede "Define a cluster for Kerberos"
      -- point 3) 
      Add this line  "Under Security > Logins > New Login "


       

    Reply
  2. Add new comment