Centrify

Tips for finding Knowledge Articles

  • - Enter just a few key words related to your question or problem
  • - Add Key words to refine your search as necessary
  • - Do not use punctuation
  • - Search is not case sensitive
  • - Avoid non-descriptive filler words like "how", "the", "what", etc.
  • - If you do not find what you are looking for the first time,reduce the number of key words you enter and try searching again.
  • - Minimum supported Internet Explorer version is IE9
Home  >
article

KB-1685: Configure Centrify DirectControl for cluster environment

Authentication Service ,  

29 June,18 at 09:17 PM

Questions:

Nowadays cluster configuration become more popular in enterprise environment. Does Centrify Suite support cluster environment? How can I configure it?

Answer:

Yes, Centrify DirectControl supports a cluster environment. We need to manually perform some extra steps in order to make the DirectControl agents work in a cluster. Here is an example of setting a DirectControl agent to work on a cluster web server.

Environment information:
Web Server: web.test.lab
Node of cluster: node1.test.lab, node2.test.lab

Assumption:
Each node of cluster already joined to domain as usual.
  1. We need to add the necessary SPN to the service account web.test.lab then use adkeytab to adopt it (to get keytab file), and merge it into node1.test.lab  and node2.test.lab keytab . (The example in this KB is showing how to config with an Apache web server).
  2. Ask an AD administrator to add the following SPN into service account web: 
Bring up ADSIedit -> Locate the target computer object -> Right-click and select Properties.
Search the attribute: servicePrincipalName
Add following value in it:
http/web 
http/web.test.lab 
host/web 
host/web.test.lab 
  1. Creating keytab file for the service account:
Log on node1.test.lab as root 
Run: adkeytab -A -u <authorzied ad user> -K /etc/krb5/web.keytab web
You can verify the keytab by:
/usr/share/centrifydc/kerberos/bin/klist -kt /etc/krb5/web.keytab  (you should see 4 SPN created in step1 are listed). 
  1. Merge the keytab file to node of cluster:
Log on node1.test.lab, as root, run following commands:
/usr/bin/ktutil 
(in subcommands, do) 
rkt /etc/krb5/krb5.keytab 
rkt /etc/krb5/web.keytab 
wkt /etc/krb5/krb5.keytab.new 
  1. Run: /usr/share/centrifydc/kerberos/bin/klist -kt /etc/krb5/krb5.keytab.new -> you should now see SPN for node1.test.lab as well as web in the list. 
  2. Replace the keytab file to the node:
start httpd
start adclient 
mv krb5.keytab.new krb5.keytab 
mv krb5.keytab krb5.keytab.save (save the original keytab for back up purpose) 
cd /etc/krb5 
stop adclient 
stop httpd 
  1. Copy service account keytab - web.keytab to node2.test.lab. 
  2. Repeat step 4-6 on node2.test.lab 
  3. Test with browser on windows. 
Notes:
Changing computer password of service account will cause authentication failure. In this case, please perform step 3-6 to update keytab file.
 

Related Articles

 articleKB-6044: How to configure users for automatic Kerberos Credentials for infinite renewal even after users have logged out? articleKB-2359: How to configure a Kerberos based SSO solution in WebLogic & Oracles Http Server ( OHS) environment? articleKB-6050: How to configure a group for automatic Kerberos Credentials for infinite renewal? articleKB-6041: How to show current license type in use by adclient articleKB-6040: How to change the license type in use after adclient successful joined to the AD? articleKB-20210: Common Questions Regarding Centrify DirectControl and CoreOS articleConfiguring PostgreSQL to work with Centrify DirectControl and Centrify Privilege Service articleKB-6073: How to join the Linux/Unix Centrify Server to Active Directory with specific Computer Role? articleKB-2218: How to force a Centrify DirectControl agent to only use specified domain controllers