Welcome to OGeek Q&A Community for programmer and developer-Open, Learning and Share
Welcome To Ask or Share your Answers For Others

Categories

0 votes
671 views
in Technique[技术] by (71.8m points)

active directory - On-prem SF cluster Kerberos security (gMSA) and ServerCertificate

We have created clusters that are un-secure and certificate based with success. We are trialing a Domain secured cluster by making the node-to-node communication use a gMSA. The below cluster configuration snippet shows the problematic portion:

"security": {
    "ClusterCredentialType": "Windows",
    "ServerCredentialType": "Windows",
    "WindowsIdentities": {
        "ClustergMSAIdentity": "{{ env_domain }}\{{ cluster_gmsa_identity }}",
        "ClusterSPN": "{{ cluster_gmsa_spn }}",
        "ClientIdentities": [
            {
                "Identity": "{{ env_domain_short }}\ServiceFabricAdmins",
                "IsAdmin": true
            },
            {
                "Identity": "{{ env_domain_short }}\ServiceFabricReadOnly",
                "IsAdmin": false
            }
        ]
    },
    "CertificateInformation": {
        "ServerCertificate": {
          "Thumbprint": "{{ primary_server_certificate_thumbprint }}",
          "X509StoreName": "My"
        },
        "ReverseProxyCertificate": {
            "Thumbprint": "{{ primary_server_certificate_thumbprint }}",
            "X509StoreName": "My"
        }
    }            
}

If we supply the ServerCertificate property as shown above the cluster creation process throws many exceptions (non of which seem point to certificate config issues), if I remove the ServerCertificate section (but keep the reverse proxy supplied cert) the cluster creation process is a success.

I want the ServerCertificate there to secure the http channel of communication for the management endpoints. A few points to consider:

  1. The certificate referenced in the ServerCertificate property was used with success for our Certificate secured Cluster.
  2. The gMSA has ACL read permissions for the private key in the certificate store.
  3. The OS the Nodes are running on is Windows 2016 1709 (build 16299.334)

In order to get the cluster up and running correctly though I had to place the gMSA account in the local Administrators group (which seems wrong!!) as mentioned here.

Any thoughts would be greatly appreciated?

See Question&Answers more detail:os

与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
Welcome To Ask or Share your Answers For Others

1 Reply

0 votes
by (71.8m points)

gmsa and Administrators group

you can try to give some permissions such as

  1. Computer Configuration Windows Settings Security Settings Local Policies User Rights Assignment Log on as a service

  2. Computer Configuration Windows Settings Security Settings Local Policies User Rights Assignment Log on as a batch job

through ther local policy editor. If you look at these groups you'll see the Administrators group already included to these local groups, and Users group(as gmsa is a usual account) is not. So if you include gmsa into these local groups, that account will get permissions to run as a service (service fabric looks like a service itself)

config for certificate (login to portal) + gmsa (server)

{
    "name": "yosfcl",
    "clusterConfigurationVersion": "1.0.1",
    "apiVersion": "10-2017",
    "nodes": [
        {
            "NodeName": "yv1-sf",
            "NodeTypeRef": "NodeType0",
            "IPAddress": "yv1-sf",
            "FaultDomain": "fd:/dc1/r1",
            "UpgradeDomain": "UD1"
        },
        {
            "NodeName": "yv2-sf",
            "NodeTypeRef": "NodeType0",
            "IPAddress": "yv2-sf",
            "FaultDomain": "fd:/dc1/r2",
            "UpgradeDomain": "UD2"
        },
        {
            "NodeName": "yv3-sf",
            "NodeTypeRef": "NodeType0",
            "IPAddress": "yv3-sf",
            "FaultDomain": "fd:/dc1/r3",
            "UpgradeDomain": "UD3"
        }
    ],
    "properties": {
        "diagnosticsStore": 
        {
            "metadata":  "Please replace the diagnostics file share with an actual file share accessible from all cluster machines. For example, \\machine1\DiagnosticsStore.",
            "dataDeletionAgeInDays": "21",
            "storeType": "FileShare",
            "connectionstring": "c:\ProgramData\SF\DiagnosticsStore"
        },      "reverseProxyCertificate": {
            "thumbprint": "[parameters('76************************8A2')]",
            "x509StoreName": "[parameters('My')]"
        },
        "security": {
            "ClusterCredentialType": "Windows",
            "ServerCredentialType": "X509",
            "WindowsIdentities": {
                "ClustergMSAIdentity": "gmsaSF@domain.lan",
                "ClusterSPN": "http/yosfcl.domain.lan",
                "ClientIdentities": [
                    {
                        "Identity": "domain\my.name",
                        "IsAdmin": true
                    }
                ]
            },
            "CertificateInformation": {
                "ServerCertificate": {
                    "Thumbprint": "76***********************************8A2",
                    "X509StoreName": "My"
                },
                "ReverseProxyCertificate": {
                    "Thumbprint": "76*************************************48A2",
                    "X509StoreName": "My"
                },
                "ClientCertificateThumbprints": [
                    {
                        "CertificateThumbprint": "94***********************************2D",
                        "IsAdmin": true
                    }
                ]
            }
        },
        "nodeTypes": [
            {
                "name": "NodeType0",
                "clientConnectionEndpointPort": "19000",
                "clusterConnectionEndpointPort": "19001",
                "leaseDriverEndpointPort": "19002",
                "serviceConnectionEndpointPort": "19003",
                "httpGatewayEndpointPort": "19080",
                "reverseProxyEndpointPort": "19081",
                "applicationPorts": {
                    "startPort": "20001",
                    "endPort": "20500"
                },
                "ephemeralPorts": {
                    "startPort": "20501",
                    "endPort": "20700"
                },
                "isPrimary": true
            }
        ],

        "fabricSettings": [
            {
                "name": "Setup",
                "parameters": [
                    {
                        "name": "FabricDataRoot",
                        "value": "D:\SF"
                    },
                    {
                        "name": "FabricLogRoot",
                        "value": "D:\SF\Logs"
                    }
                ]
            },          {
                "name": "ApplicationGateway/Http",
                "parameters": [
                    {
                        "name": "SecureOnlyMode",
                        "value": true
                    },
                    {
                        "name": "ApplicationCertificateValidationPolicy",
                        "value": "None"
                    }
                ]
            }
        ]
    } }

与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
OGeek|极客中国-欢迎来到极客的世界,一个免费开放的程序员编程交流平台!开放,进步,分享!让技术改变生活,让极客改变未来! Welcome to OGeek Q&A Community for programmer and developer-Open, Learning and Share
Click Here to Ask a Question

...