Using Kerberos with a cluster of Content Platform Engine servers

The SPN used for a cluster is different than that used for individual Content Platform Engine servers.

Procedure

  1. For a cluster, pick a unique SPN, say FNCEWS/cluster01, and create a single domain user, FNCEWS_cluster01, that will be the Kerberos identity account for that SPN. Run the setspn utility to map this SPN to this identity account by typing: 
    setspn -a FNCEWS/cluster01 FNCEWS_cluster01
setspn -a FNCEWS/cluster01.mydom.example.com FNCEWS_cluster01
  2. All Content Platform Engine servers must then be set up to use this cluster-wide identity rather than the server-name identity normally used. Do this as follows:
    For WebSphere:
    Add a new option, serviceAccountName=FNCEWS_cluster01 (substituting your cluster name for cluster01) to the JAAS configuration for KrbServiceLoginModule on each application server.
    For WebLogic:
    Set the Service Account Name option for the Engine Kerberos Authentication Provider.
  3. In cases where one client references a server's URL directly and another client could reference the cluster URL of that server (possible with customized .NET clients), then there must be additional SPN mappings to the same identity account. As an example, here is what you would enter for a cluster named cluster01 and a particular server within that cluster, myce02 , all in domain mydom.example.com: 
    setspn -a FNCEWS/cluster01 FNCEWS_cluster01
setspn -a FNCEWS/cluster01.mydom.example.com FNCEWS_cluster01
setspn -a FNCEWS/myce01 FNCEWS_cluster01
setspn -a FNCEWS/myce01.mydom.example.com FNCEWS_cluster01
setspn -a FNCEWS/myce02 FNCEWS_cluster01
setspn -a FNCEWS/myce02.mydom.example.com FNCEWS_cluster01

    Remember the following:

    • All the SPNs must map to the same identity account (FNCEW_cluster01 in the example above).
    • All the clustered servers must have the serviceAccountName=FNCEWS_cluster01 option set in the JAAS configuration as previously mentioned (for example, serviceAccountName =FNCEWS_cluster01).
    • You must set up an keytab entry on each server for the identity account name ( FNCEWS_cluster01 in the example).

    Finally, it is extremely important that no single SPN be mapped to more than one identity account. For example, the following two setspn commands, even if they were done at different times would cause unexpected The network path not found errors on the clients. Here is an example of a mapping you must not do:

    setspn -a FNCEWS/myce01 FNCEWS_myce01
setspn -a FNCEWS/myce01 FNCEWS_cluster01

    This example has the same SPN, FNCEWS/myce01, mapped to two different identities: FNCEWS_myce01 and FNCEWS_cluster01. Unfortunately, this can occur by starting with a single Content Platform Engine server and later expanding to a cluster of Content Platform Engine servers. Likewise, there is no way to check for duplicates of this sort in Microsoft's setspn utility.