Creating a Kerberized Cluster

A ScaleArc Kerberized Cluster relies on Kerberos Authentication for cluster user authentication.  

The main reason for using Kerberos is that NTLM user authentication requires the original username and password as well as a direct connection/communication with the originating machine requesting authentication.

Kerberos has a major advantage since it uses session-specific keys. Using Kerberos, the original password is only authenticated by either the Active Directory Controller (ADC) or the Backup Domain Controller (BDC) when the user first logs on to the Kerberos realm (AD domain). Once the authentication is successful, the session-specific keys provided by the authenticating server earlier can authenticate any other services for the host/application.

Review the sections below for the detailed steps to be executed when setting a Kerberized ScaleArc cluster:

  1. Configure a hostname and VIP 
  2. Configure Windows AD for delegation
  3. Create a cluster
  4. Verify Kerberos Authentication Offload
Note: Make sure you have ScaleArc version 3.11.x or later installed and running for this configuration. For Kerberos implementation on AWS click here.

Configure a hostname and VIP 

Kerberos authentication uses hostnames to identify machines and services in the domain. This requires a valid and unique hostname for the VIP (Virtual IP address) on the ScaleArc machine. 

Create a hostname (DNS setup)

Follow these steps:

  1. Open DNS manager on the AD server.
  2. Navigate to the domain name, and right-click it.
  3. Select New Host from the drop-down menu.

    AdminVIPHostname.png  

  4. Enter a new hostname; for example, scale-test. The FQDN for the record appears in the field. 

    Important Make sure you enter a hostname that does not include special characters such as underscore or period.


    New_host.png

  5. Next, enter the IP address associated with the hostname. 
  6. Select "Create associated pointer (PTR) record". This creates a reverse name lookup record for the host.
  7. Click Add Host. At this time you should have both the forward and reverse lookup for the virtual IP (VIP) set to hostname scale-test.

Configure VIP for Kerberos

If you are a cloud customer, skip the section below. In a cloud environment configure DNS for management IP for internal IP.

This example configures a VIP for the Kerberized cluster. 

Follow these steps: 

  1. Click the SETTINGS tab > Network Settings on the ScaleArc dashboard.

    Network_settings_menu.png

  2. Click Virtual IP.

    hostname_new_virtual_ip.png
     
  3. Select a subnet mask. 
  4. Enter the hostname that you created.

    Editing_hostname.png 
     
  5. Click Save.
  6. The address now appears on the screen. 

    VIPwithKerberos.png

 

Configure Windows AD for delegation

ScaleArc supports constrained delegation in which a user's identity and credentials are passed along to explicitly-specified servers or services.

Prerequisites 

To configure ScaleArc to use constrained delegation, make sure you have the following:

  • Set the NTP server in ScaleArc to the one set on the Active Directory server of the Key Distribution Center (KDC). It is advisable to set maximum tolerance for computer clock synchronization to a value of five minutes.
  • You have domain administrator account privileges.
  • Ensure that forward and reverse DNS lookup zones are configured correctly for SQL server and ScaleArc (all virtual IP's).
  • Check the DNS server, it should be the same as the one configured in Active Directory or the authentication server in the Kerberos environment (KDC). Note that ScaleArc's hostname should be in lower case without any special characters, such as underscore or period.

Join ScaleArc as a machine account 

Follow these steps to join ScaleArc as a machine account:

  1. Click the SETTINGS tab > System Settings on the ScaleArc dashboard.

    System_settings.png

  2. Click on the AD Integration tab. 

    AD_integration.png

  3. Select Machine Account. Then, complete the fields as follows:

    Field Description Default/User input
    Fully Qualified Domain Name (FQDN)

    The FQDN of the domain that you want the ScaleArc appliance to join. 

    Enter an appropriate domain name.
    Workgroup

    The workgroup (Domain Netbios Name) that you want the ScaleArc appliance to join. 

    Enter a valid workgroup name.

    Active Directory (AD) Server

    The active directory server FQDN (fully qualified domain name) that the domain is configured on. Note that the server name should not include a trailing dot (".") at the end, unless you are using a valid DNS entry for the name. Enter the FQDN.
    Administrator username

    The username of the account that has the privilege to add the ScaleArc appliance to the domain as a machine account.

    Enter the username.
    Password

    The administrator password. 

    Enter the password.
    Advanced Settings The button to configure additional settings such as subdomains. This setting appears only after you join. Click to open the related screen.

     

  4. Click Join to complete the setup. A successful join posts this dialog box. Click OK. Once connected, you can use Unjoin to leave the domain.

    WinADJoinKerSucc.png

  5. Click Advanced Settings if you wish to add sub-domains. 
  6. Enter one or more sub-domains and their corresponding AD servers. Click Add.

    WinADKerSubdomain.png
     
  7. The ScaleArc appliance shows up in the Active Directory Users and Computers console. This creates a machine account for the ScaleArc appliance, using the naming convention <hostname$>.

Set up Service Principal Name (SPN) for ScaleArc 

Next, set up SPN for ScaleArc. SPN is a unique identifier for a service on a network that uses Kerberos authentication. It consists of a service class, a hostname, and a port or the instance name. To create an SPN, use the SetSPN command-line utility.

Note: SPN should be set with the instance name and a port while configuring SETSPN for an AlwaysOn cluster.

Follow these steps to set up the Service Principal Name (SPN) for ScaleArc on AD from Windows PowerShell:

  1. Log in to the Active Directory server as a user with domain administrator privileges.
  2. From PowerShell, set the Service Principal Name for ScaleArc on AD. Remember to specify the port correctly. In this example, the cluster listens on port 1433. 

    For a standalone server:
    Syntax
    Setspn -A MSSQLSvc/<VIP_Hostname>.<domainname>:<port> <domain\ScaleArc hostname$> 
    
    Example	
    C:\>setspn -A MSSQLSvc/scale-test.krbs.com:1433 krbs\scale-pri$
     For AG (Availability Group) Listener:
    Syntax
    Setspn -A MSSQLSvc/<VIP_Hostname>.<domainname>:<port> <domain\ScaleArc hostname$> 
    
    Example	
    C:\>setspn -A MSSQLSvc/scale-test.krbs.com:1433 krbs\scale-pri$
     
    Syntax for AG Listener
    Setspn -A MSSQLSvc/<AG LISTENER_Hostname>.<domainname>:<port><domain\domain admin user>
     
    Example
    C:\>setspn -A MSSQLSvc/aglsnr.krbs.com:1433 krbs\cls
    Important: Larger AD infrastructures may delay the propagation of new SPN entries which could cause delays in those SPN entries being available for delegation. We recommend you wait up to an hour before continuing.
    If you are a cloud customer, instead of <VIP_Hostname> use the All IP hostname which was configured earlier.

Set up ScaleArc for delegation

  1. On the domain controller, access the Active Directory Users and Computers console.
  2. In the console tree, under Domain name, click Computers.

    AD_users_and_computers.png 
     
  3. Right-click the ScaleArc server, and then click Properties.
  4. On the Delegation tab, click Trust this computer for delegation to specified services only.
  5. Click Use any authentication protocol.
  6. Click Add, and then click to select Users and Computers.

    WinADKerAddServc.png 

  7. Enter the domain user that has the necessary credentials to start and stop SQL services; then, click Select All and OK. 

    WinADKerServcList.png

  8. From the Delegation tab, click Add. Then, click Users or Computers and enter the machine account name of the ScaleArc primary machine (for example, scale-pri$). Click Check Names and OK.

    delegation_1.png

  9. Select the HOST and the MSSQLSvc service for the VIP created earlier. Press the Control key to select multiple entries. Click OK.

    delegation_-_add_services.png

  10. The entries appear on the Delegation tab. Click OK.

    delegation_4.png

Provide database access

This is a two-step process:

Grant access to ScaleArc's machine account  

Follow these steps to grant minimum privileges to ScaleArc on SQL Server:

  1. From the machine running SQL Server, log in to SQL Server Management studio. 
  2. Connect to the server.
  3. Log in.
  4. Locate Security > Logins > New Login. Remember to add $ at the end of the login name. 


    SSMS_DBAccessSQLPriv.png
     

  5. Select the User. Right-click on properties.

    SSMS-DBAccessSQLPriv2.png
     
     
  6. Under the Explicit tab, select the following permissions.
    1. View Any Definition.
    2. View Server status.
  7. Click OK.

Create a cluster

You are now ready to create a Kerberized cluster in ScaleArc.

Define a cluster for Kerberos

Follow these steps:

  1. On the ScaleArc dashboard, click the CLUSTERS tab > Add Cluster button. 
  2. Locate the Network section. This is the first panel on the Create Cluster screen.

    CreateClus-Network.png

  3. Fill in the fields with valid information as outlined in Configuring ScaleArc endpoints.
  4. Select the VIP address you created with the hostname for the field labeled Cluster Virtual IP Address

    If you are a cloud customer you can use All IP to set up the cluster.

Configure database access 

Follow these steps:

  1. On the ScaleArc dashboard, click the CLUSTERS tab > Add Cluster button.
  2. Locate and complete the Database Access section. This is the second panel on the Create Cluster screen. 

    Database_access.png

  3. If you have joined Windows AD as a machine account, the screen displays a pre-selected checkbox. If you de-select the checkbox, the cluster does not use Kerberos anymore for ScaleArc services and monitoring.

    WinADKerDBAccChkbx.png 

    De-selecting the checkbox does not require you to unjoin the domain; nor does it have an impact on other clusters in the domain that have been configured for Kerberos authentication.
  4. Next, configure database servers and SSL (optional) for the cluster.
  5. If you had selected the checkbox to Start Cluster after Setup (this is selected by default), the newly created cluster's green icon indicates that the cluster is running. If you had unchecked this option, the cluster icon will be red, indicating that you need to start the cluster. Click START in the Status column to run the cluster. The icon should turn green indicating it is now running. You can stop the cluster using the STOP button.
  6. Verify ScaleArc Authentication Offload is ON. 

Verify Kerberos Authentication Offload

A fully-Kerberized cluster has the Kerberized Authentication Offload button set to ON when ScaleArc joins AD as a machine account. Click here to review ScaleArc settings for Kerberos.

  1. Navigate to CLUSTERS > Status column > Cluster Settings  in the ScaleArc dashboard.

    Verify_kerberos_authentication_offload.png

  2. Select the ScaleArc tab.
  3. Locate the Kerberos Authentication Offload button. Note that it is ON.

Kerberos_authentication_offload.png

Back to top