Tips for finding Knowledge Articles

  • - Enter just a few key words related to your question or problem
  • - Add Key words to refine your search as necessary
  • - Do not use punctuation
  • - Search is not case sensitive
  • - Avoid non-descriptive filler words like "how", "the", "what", etc.
  • - If you do not find what you are looking for the first time,reduce the number of key words you enter and try searching again.
  • - Minimum supported Internet Explorer version is IE9
Home  >

KB-1685: Configure Centrify DirectControl for cluster environment

Authentication Service ,  

29 June,18 at 09:17 PM


Nowadays cluster configuration become more popular in enterprise environment. Does Centrify Suite support cluster environment? How can I configure it?


Yes, Centrify DirectControl supports a cluster environment. We need to manually perform some extra steps in order to make the DirectControl agents work in a cluster. Here is an example of setting a DirectControl agent to work on a cluster web server.

Environment information:
Web Server: web.test.lab
Node of cluster: node1.test.lab, node2.test.lab

Each node of cluster already joined to domain as usual.
  1. We need to add the necessary SPN to the service account web.test.lab then use adkeytab to adopt it (to get keytab file), and merge it into node1.test.lab  and node2.test.lab keytab . (The example in this KB is showing how to config with an Apache web server).
  2. Ask an AD administrator to add the following SPN into service account web: 
Bring up ADSIedit -> Locate the target computer object -> Right-click and select Properties.
Search the attribute: servicePrincipalName
Add following value in it:
  1. Creating keytab file for the service account:
Log on node1.test.lab as root 
Run: adkeytab -A -u <authorzied ad user> -K /etc/krb5/web.keytab web
You can verify the keytab by:
/usr/share/centrifydc/kerberos/bin/klist -kt /etc/krb5/web.keytab  (you should see 4 SPN created in step1 are listed). 
  1. Merge the keytab file to node of cluster:
Log on node1.test.lab, as root, run following commands:
(in subcommands, do) 
rkt /etc/krb5/krb5.keytab 
rkt /etc/krb5/web.keytab 
wkt /etc/krb5/ 
  1. Run: /usr/share/centrifydc/kerberos/bin/klist -kt /etc/krb5/ -> you should now see SPN for node1.test.lab as well as web in the list. 
  2. Replace the keytab file to the node:
start httpd
start adclient 
mv krb5.keytab 
mv krb5.keytab (save the original keytab for back up purpose) 
cd /etc/krb5 
stop adclient 
stop httpd 
  1. Copy service account keytab - web.keytab to node2.test.lab. 
  2. Repeat step 4-6 on node2.test.lab 
  3. Test with browser on windows. 
Changing computer password of service account will cause authentication failure. In this case, please perform step 3-6 to update keytab file.