Configuring Kerberos for Clustered Servers

If you enabled clustering for your MSS deployment, some additional steps are required for configuring Windows Authentication - Kerberos.

The following steps can be done either before clustering the MSS server or after the cluster has already been established. For more information, see Clustering.

Step 1. Configure each server to be clustered

Enable Kerberos on each server in the cluster by following the steps in Enabling Kerberos.
After successfully completing all of the Configure KDC and Active Directory steps for a single server, you need to add an SPN for each additional server in the cluster.

The SPN must be added to the Active Directory service account that was already created for your MSS deployment.
For each additional server in the cluster:

Follow the steps described in Assign an SPN for the MSS server to the Service Account .

Notes

The keytab file generated for the single server deployment does not need to be—and should not be—modified for a clustered deployment.
The addition of the SPNs to the service account is all that is required.

Step 2. Configure Load Balancer/Proxies

If you are putting a load balancer in front of your MSS cluster, some additional steps are required when using Windows Authentication - Kerberos. These steps must be done on each server in the cluster.

Edit <install-dir>/mss/conf/container.properties and add this property:

oauthadapter.management.server.url=https://<load-balancer-address:port>/mss
Configure the auth-service to accept connections from the load balancer by editing the <install-dir>/mss/server/microservices/auth-service/service.yml file and adding these properties to the env section:
```
- name: authsvc.http-interfaces
  value: {name}
- name: authsvc.http-interfaces.{name}.anyLocalInterface
  value: true
- name: authsvc.http-interfaces.{name}.proxyDomain
  value: {domainName-of-proxy-interface}
- name: authsvc.http-interfaces.{name}.proxyPort
  value: {port-of-proxy-interface}
- name: authsvc.http-interfaces.{name}.port
  value: 9443
- name: authsvc.http-interfaces.{name}.tls
  value: true
```
Notes
- {name} - any name you wish for the proxy interface
- {domainName-of-proxy-interface} - the fully qualified address of the load balancer
- {port-of-proxy-interface} - the port used by the load balancer
- If additional interfaces are necessary, you can define a comma-delimited list of names in the authsvc.http-interfaces property and then define the complete set of properties for each name.
Restart the server.

Step 3. Set Certificates

In order for the load balancer to allow HTTPS connections to the MSS server, the load balancer public certificate needs to be uploaded to the MSS cluster. Follow these steps:

Log into the MSS Administrative Console on one machine in the cluster.
Navigate to Configure Settings - Trusted Certificates.
Select the Trusted Sub-System certificate store.
Click +IMPORT.
Click UPLOAD and locate the load balancer's public certificate.
Enter a Friendly name for the certificate entry.
Click IMPORT.

Step 4. Add the SPN of the load balancer to the KDC

For the load balancer to forward Kerberos login requests from users, the load balancer must be registered as an additional Service Principal Name (SPN) with the service account on the KDC.

Follow the steps in Step 1. Configure each server to be clustered (above) to add the SPN of the load balancer machine to the service account on the KDC used to authenticate users.

For example:

setspn –A HTTP/load-balancer.my-company.com my-mss-deployment

Regarding the other MSS servers in a cluster:

You do not need to—and should not—generate a new keytab file.
The addition of the load balancer as an SPN to the service account is all that is required.