Configuring Kerberos for Clustered Servers
If you enabled clustering for your MSS deployment, some additional steps are required for configuring Windows Authentication - Kerberos.
The following steps can be done either before clustering the MSS server or after the cluster has already been established. For more information, see Clustering.
Step 1. Configure each server to be clustered
-
Enable Kerberos on each server in the cluster by following the steps in Enabling Kerberos.
-
After successfully completing all of the Configure KDC and Active Directory steps for a single server, you need to add an SPN for each additional server in the cluster.
The SPN must be added to the Active Directory service account that was already created for your MSS deployment.
-
For each additional server in the cluster:
Follow the steps described in Assign an SPN for the MSS server to the Service Account .
Notes
-
The keytab file generated for the single server deployment does not need to be—and should not be—modified for a clustered deployment.
-
The addition of the SPNs to the service account is all that is required.
Step 2. Configure Load Balancer/Proxies
If you are putting a load balancer in front of your MSS cluster, some additional steps are required when using Windows Authentication - Kerberos. These steps must be done on each server in the cluster.
-
Edit
<install-dir>/mss/conf/container.properties
and add this property:oauthadapter.management.server.url=https://<load-balancer-address:port>/mss
-
Configure the auth-service to accept connections from the load balancer by editing the
<install-dir>/mss/server/microservices/auth-service/service.yml
file and adding these properties to the env section:- name: authsvc.http-interfaces value: {name} - name: authsvc.http-interfaces.{name}.anyLocalInterface value: true - name: authsvc.http-interfaces.{name}.proxyDomain value: {domainName-of-proxy-interface} - name: authsvc.http-interfaces.{name}.proxyPort value: {port-of-proxy-interface} - name: authsvc.http-interfaces.{name}.port value: 9443 - name: authsvc.http-interfaces.{name}.tls value: true
Notes
{name}
- any name you wish for the proxy interface{domainName-of-proxy-interface}
- the fully qualified address of the load balancer{port-of-proxy-interface}
- the port used by the load balancer- If additional interfaces are necessary, you can define a comma-delimited list of names in the
authsvc.http-interfaces
property and then define the complete set of properties for each name.
-
Restart the server.
Step 3. Set Certificates
In order for the load balancer to allow HTTPS connections to the MSS server, the load balancer public certificate needs to be uploaded to the MSS cluster. Follow these steps:
-
Log into the MSS Administrative Console on one machine in the cluster.
-
Navigate to Configure Settings - Trusted Certificates.
-
Select the Trusted Sub-System certificate store.
-
Click +IMPORT.
-
Click UPLOAD and locate the load balancer's public certificate.
-
Enter a Friendly name for the certificate entry.
-
Click IMPORT.
Step 4. Add the SPN of the load balancer to the KDC
For the load balancer to forward Kerberos login requests from users, the load balancer must be registered as an additional Service Principal Name (SPN) with the service account on the KDC.
Follow the steps in Step 1. Configure each server to be clustered (above) to add the SPN of the load balancer machine to the service account on the KDC used to authenticate users.
For example:
setspn –A HTTP/load-balancer.my-company.com my-mss-deployment
Regarding the other MSS servers in a cluster:
- You do not need to—and should not—generate a new keytab file.
- The addition of the load balancer as an SPN to the service account is all that is required.