Last modified Oct, 18, 2017
Create a Kerberized cluster


Follow these procedures to set up a Kerberized ScaleArc cluster:

Make sure you have ScaleArc, Version 3.11.x installed and running for this configuration. For Kerberos implementation on AWS click here.

Configure a hostname and VIP 

Kerberos authentication uses hostnames to identify machines and services in the domain. This requires a valid and unique hostname for the VIP on the ScaleArc machine. 

Create a hostname (DNS setup)

Follow these steps:

  1. Open DNS manager on the AD server.
  2. Navigate to the domain name, and right click it.
  3. Select New Host from the drop down menu.

      

  4. Enter a new hostname; for example, scale-test. The FQDN for the record appears in the field. 

    Important

    Make sure you enter a hostname that does not include special characters such as underscore or period.




  5. Next, enter the IP address associated with the hostname. 
  6. Select "Create associated pointer (PTR) record." This creates a reverse name lookup record for the host.
  7. Click Add Host. At this time you should have both the forward and reverse lookup for the virtual IP set to hostname scale-test.

Configure VIP for Kerberos

If you are a cloud customer, skip the section below. In a cloud environment configure DNS for management IP for internal IP.

This example configures a VIP for the Kerberized cluster. 

Follow these steps: 

  1. Click the Settings tab > Network Settings on the ScaleArc dashboard.



  2. Click Virtual IP.

     
     
  3. Select a subnet mask. 
  4. Enter the hostname that you created.

     
     
  5. Click Save.
  6. The address now appears on the screen. 


Configure Windows AD for delegation

ScaleArc supports constrained delegation in which a user's identity and credentials are passed along to explicitly-specified servers or services.

Prerequisites 

To configure ScaleArc to use constrained delegation, make sure you have the following:

  • Set the NTP server in ScaleArc to the one set on the Active Directory server of the KDC. It is advisable to set maximum tolerance for computer clock synchronization to a value of five minutes.
  • You have domain administrator account privileges.
  • Ensure that forward and reverse DNS lookup zones are configured correctly for SQL server and ScaleArc (all virtual IP's).
  • Check the DNS server, it should be the same as the one configured in Active Directory or the authentication server in the Kerberos environment (KDC). Note that ScaleArc's hostname should be in lower case without any special characters, such as underscore or period.

Join ScaleArc as a machine account 

Follow these steps to join ScaleArc as a machine account:

  1. Click the Settings tab > System Settings on the ScaleArc dashboard.



  2. Click on the AD Integration tab. 



  3. Select Machine Account. Then, complete the fields as follows:

    Field Description Default/User input
    Fully Qualified Domain Name (FQDN)

    The FQDN of the domain that you want the ScaleArc appliance to join. 

    Enter an appropriate domain name.
    Workgroup

    The workgroup (Domain Netbios Name) that you want the ScaleArc appliance to join. 

    Enter a valid workgoup name.

    Active Directory (AD) Server

    The active directory server FQDN (fully qualified domain name) that the domain is configured on. Note that the server name should not include a trailing dot (".") at the end, unless you are using a valid DNS entry for the name. Enter the FQDN.
    Administrative username

    The username of the account that has the privilege to add the ScaleArc appliance to the domain as a machine account.

    Enter the username.
    Password

    The administrator password. 

    Enter the password.
    Advanced Settings The button to configure additional settings such as sub domains. This setting appears only after you join. Click to open the related screen.



  4. Click Join to complete the set up. A successful join posts this dialog box. Click OK. Once connected, you can use Unjoin to leave the domain.



  5. Click Advanced Settings if you wish to add sub-domains. 
  6. Enter one or more sub-domains and their corresponding AD servers. Click Add.


     
  7. The ScaleArc appliance shows up in the Active Directory Users and Computers console. This creates a machine account for the ScaleArc appliance, using the naming convention <hostname$>.

Set up Service Principal Name (SPN) for ScaleArc 

Next, set up SPN for ScaleArc. SPN is a unique identifier for a service on a network that uses Kerberos authentication. It consists of a service class, a host name, and a port or the instance name. To create an SPN, use the SetSPN command line utility.

SPN should be set with the instance name and a port while configuring SETSPN for an AlwaysOn cluster.


From the power shell, set up the Service Principal Name for ScaleArc on AD:

  1. Log into the Active Directory server as a user with domain administrator's privileges.
  2. From the power shell, set the service principal name for ScaleArc on AD. Remember to specify the port correctly. In this example, the cluster listens on port 1433. 

    For standalone server
    Syntax
    Setspn -A MSSQLSvc/<VIP_Hostname>.<domainname>:<port> <domain\ScaleArc hostname$> 
    
    Example	
    C:\>setspn -A MSSQLSvc/scale-test.krbs.com:1433 krbs\scale-pri$
    For AG Listener
    Syntax
    Setspn -A MSSQLSvc/<VIP_Hostname>.<domainname>:<port> <domain\ScaleArc hostname$> 
    
    Example	
    C:\>setspn -A MSSQLSvc/scale-test.krbs.com:1433 krbs\scale-pri$
     
    Syntax for AG Listener
    Setspn -A MSSQLSvc/<AG LISTENER_Hostname>.<domainname>:<port><domain\domain admin user>
     
    Example
    C:\>setspn -A MSSQLSvc/aglsnr.krbs.com:1433 krbs\cls

    Important

    Larger AD infrastructures may delay propagation of new SPN entries which could cause delays in those SPN entries being available for delegation. We recommend you wait up to an hour before continuing.

    If you are a cloud customer, instead of <VIP_Hostname> use the All IP hostname which was configured earlier.

Set up ScaleArc for delegation

  1. On the domain controller, access the Active Directory Users and Computers console.
  2. In the console tree, under Domain name, click Computers.

     
     
  3. Right-click the ScaleArc server, and then click Properties.
  4. On the Delegation tab, click Trust this computer for delegation to specified services only.
  5. Click Use any authentication protocol.  
  6. Click Add, and then click Users and Computers.

     

  7. Enter the domain user that has the necessary credentials to start and stop SQL services; then, click Select All and OK. 



  8. From the Delegation tab, click Add. Then, click Users or Computers and enter the machine account name of the ScaleArc primary machine (for example, scale-pri$). Click Check Names and OK.



  9. Select the HOST and the MSSQLSvc service for the VIP created earlier. Press the Control key to select multiple entries. Click OK.



  10. The entries appear on the Delegation tab. Click OK.

Provide database access

This is a two-step process:

Grant access to ScaleArc's machine account  

Follow these steps to grant minimum privileges to ScaleArc on SQL Server:

  1. From the machine running SQL Server, log in to SQL Management studio. 
  2. Connect to the server.
  3. Log in.
  4. Locate Security > Logins > New Login. Remember to add $ at the end of the login name. 



     

  5. Select the user. Right-click on properties.


     
     
  6. Under the Explicit tab, select the following permissions.
    1. View Any Definition.
    2. View Server status.
  7. Click OK.

Create a cluster

You are now ready to create a Kerberized cluster in ScaleArc.

Define a cluster for Kerberos

Follow these steps:

  1. On the ScaleArc dashboard, click the Clusters tab > Add Cluster button. 
  2. Locate the Network section. This is the first panel on the Create Cluster screen.



  3. Fill in the fields with valid information
  4. Select the VIP address you created  with the hostname for the field labeled Cluster Virtual IP Address. 

    If you are a cloud customer you can use All IP to set up cluster.

Configure database access 

Follow these steps:

  1. On the ScaleArc dashboard, click the Clusters tab > Add Cluster button.
  2. Locate and complete the Database Access section. This is the second panel on the Create Cluster screen. 



  3. If you have joined Windows AD as a machine account, the screen displays a pre-selected checkbox. if you de-select the checkbox, the cluster does not use Kerberos anymore for ScaleArc services and monitoring.

     

    De-selecting the checkbox does not require you to unjoin the domain. Nor does it have an impact on other clusters in the domain that have been configured for Kerberos authentication.

  4. Next, configure database servers and SSL (optional) for the cluster.
  5. For Start Cluster After Setup, If you selected the checkbox (its default setting), the cluster's green icon indicates that the cluster is already running. If you deselected this option, the cluster icon is red, indicating that you need to start the cluster. Click START in the second column to run the cluster. The icon turns green. Click STOP to halt the cluster.
  6. Verify ScaleArc Authentication Offload is ON. 

Verify Kerberos Authentication Offload

A fully-Kerberized cluster has the Kerberized Authentication Offload button set to ON when ScaleArc joins AD as a machine account. Click here to review ScaleArc settings for Kerberos.

  1. Click Clusters > Status > Cluster Settings  in the ScaleArc dashboard.



  2. Select the ScaleArc tab.
  3. Locate the Kerberos Authentication Offload button. Note that it is ON.


On this page


Comments

    Add new comment