Using Kerberos with a cluster of Content Platform Engine servers
The SPN used for a cluster is different than that used for individual Content Platform Engine servers.
Procedure
- For a cluster, pick a unique SPN, say FNCEWS/cluster01,
and create a single domain user, FNCEWS_cluster01, that will be the
Kerberos identity account for that SPN. Run the setspn utility to
map this SPN to this identity account by typing:
setspn -a FNCEWS/cluster01 FNCEWS_cluster01 setspn -a FNCEWS/cluster01.mydom.example.com FNCEWS_cluster01
- All Content Platform Engine servers
must then be set up to use this cluster-wide identity rather than
the server-name identity normally used. Do this as follows:
- For WebSphere:
- Add a new option, serviceAccountName=FNCEWS_cluster01 (substituting your cluster name for cluster01) to the JAAS configuration for KrbServiceLoginModule on each application server.
- For WebLogic:
- Set the Service Account Name option for the Engine Kerberos Authentication Provider.
- In cases where one client references a server's URL directly
and another client could reference the cluster URL of that server
(possible with customized .NET clients), then there must be additional
SPN mappings to the same identity account. As an example, here is
what you would enter for a cluster named cluster01 and
a particular server within that cluster, myce02 ,
all in domain mydom.example.com:
setspn -a FNCEWS/cluster01 FNCEWS_cluster01 setspn -a FNCEWS/cluster01.mydom.example.com FNCEWS_cluster01 setspn -a FNCEWS/myce01 FNCEWS_cluster01 setspn -a FNCEWS/myce01.mydom.example.com FNCEWS_cluster01 setspn -a FNCEWS/myce02 FNCEWS_cluster01 setspn -a FNCEWS/myce02.mydom.example.com FNCEWS_cluster01
Remember the following:
- All the SPNs must map to the same identity account (FNCEW_cluster01 in the example above).
- All the clustered servers must have the serviceAccountName=FNCEWS_cluster01 option set in the JAAS configuration as previously mentioned (for example, serviceAccountName =FNCEWS_cluster01).
- You must set up an keytab entry on each server for the identity account name ( FNCEWS_cluster01 in the example).
Finally, it is extremely important that no single SPN be mapped to more than one identity account. For example, the following two
setspn
commands, even if they were done at different times would cause unexpected The network path not found errors on the clients. Here is an example of a mapping you must not do:setspn -a FNCEWS/myce01 FNCEWS_myce01 setspn -a FNCEWS/myce01 FNCEWS_cluster01
This example has the same SPN, FNCEWS/myce01, mapped to two different identities: FNCEWS_myce01 and FNCEWS_cluster01. Unfortunately, this can occur by starting with a single Content Platform Engine server and later expanding to a cluster of Content Platform Engine servers. Likewise, there is no way to check for duplicates of this sort in Microsoft's setspn utility.