The SPN used for a cluster is different than that used
for individual Content Platform Engine servers.
Procedure
- For a cluster, pick a unique SPN, say FNCEWS/cluster01,
and create a single domain user, FNCEWS_cluster01, that will be the
Kerberos identity account for that SPN. Run the setspn utility to
map this SPN to this identity account by typing:
setspn -a FNCEWS/cluster01 FNCEWS_cluster01
setspn -a FNCEWS/cluster01.mydom.example.com FNCEWS_cluster01
- All Content Platform Engine servers
must then be set up to use this cluster-wide identity rather than
the server-name identity normally used. Do this as follows:
- For WebSphere:
- Add a new option, serviceAccountName=FNCEWS_cluster01 (substituting
your cluster name for cluster01) to the JAAS configuration
for KrbServiceLoginModule on each application server.
- For WebLogic:
- Set the Service Account Name option for the Engine Kerberos Authentication
Provider.
- In cases where one client references a server's URL directly
and another client could reference the cluster URL of that server
(possible with customized .NET clients), then there must be additional
SPN mappings to the same identity account. As an example, here is
what you would enter for a cluster named cluster01 and
a particular server within that cluster, myce02 ,
all in domain mydom.example.com:
setspn -a FNCEWS/cluster01 FNCEWS_cluster01
setspn -a FNCEWS/cluster01.mydom.example.com FNCEWS_cluster01
setspn -a FNCEWS/myce01 FNCEWS_cluster01
setspn -a FNCEWS/myce01.mydom.example.com FNCEWS_cluster01
setspn -a FNCEWS/myce02 FNCEWS_cluster01
setspn -a FNCEWS/myce02.mydom.example.com FNCEWS_cluster01
Remember
the following:
- All the SPNs must map to the same identity account (FNCEW_cluster01
in the example above).
- All the clustered servers must have the serviceAccountName=FNCEWS_cluster01
option set in the JAAS configuration as previously mentioned (for
example, serviceAccountName =FNCEWS_cluster01).
- You must set up an keytab entry on each server for the identity
account name ( FNCEWS_cluster01 in the example).
Finally, it is extremely important that no single SPN be mapped
to more than one identity account. For example, the following two setspn commands,
even if they were done at different times would cause unexpected The
network path not found errors on the clients. Here is an example
of a mapping you must not do:
setspn -a FNCEWS/myce01 FNCEWS_myce01
setspn -a FNCEWS/myce01 FNCEWS_cluster01
This example
has the same SPN, FNCEWS/myce01, mapped to two different identities:
FNCEWS_myce01 and FNCEWS_cluster01. Unfortunately, this can occur
by starting with a single Content Platform Engine server
and later expanding to a cluster of Content Platform Engine servers. Likewise,
there is no way to check for duplicates of this sort in Microsoft's
setspn utility.