Unsolved
This post is more than 5 years old
2 Intern
•
300 Posts
0
1869
January 11th, 2016 05:00
SPNs in several Active Directorys
Hello together,
I have a new Cluster which is the "chosen one" for my first multi domain Setup.
Data:
Authentication Provider:
domain1.local
domain2.local
domain3.local
these domains are separate forests and belong to different customers.
AccessZones:
AZ1
AZ2
AZ3
System
Smartconnectzones:
dom1isilon.domain1.local
dom2isilon.domain2.local
dom3isilon.domain3.local
They are all building Sets
domain1.local is authentication provider in AZ1 (and System) and has one pool configured which has the smartconnectzone dom1isilon.domain1.local
domain1.local is in opposite to the other domains authenticationprovider for AZ1 and System.
After setting everything up we discovered, that all Smartconnectzonenames are listed as SPN in the Computeraccount in each domain
so the list in domain1.local looks as follows:
host/dom1isilon
host/dom1isilon.domain1.local
host/dom2isilon
host/dom2isilon.domain2.local
host/dom3isilon
host/dom3isilon.domain3.local
host/system
host/system.domain1.local
host/admin
host/admin.domain1.local
the same list exists in domain2.local and domain3.local
while I don't have any problems with all the shortnames and longnames which belong to domain1.local I really wonder - because I don't get the technical reason - about the other SPNs.
So we deleted the SPNs we saw no use for. But now the Isilon reports "missing SPNs" in each domain with the SPNs we deleted.
I already contacted Support and they could recreate the issue in their lab but don't have a solution at the moment.
Maybe anyone here can tell me:
How do I get the Isilon to not miss unused SPNs?
Is there any technical reason, that I need the SPNs of "foreign" domains?
Thx & Regards
-- sluetze
Edit: Cluster is running 7.2.1.1
0 events found
Stdekart
104 Posts
1
January 11th, 2016 12:00
sluetze,
Adding of the SPN's is automated on domain join.
There is no need to have the unused SPN's everything will function, as shown with your testing.
The alert is ment to be suggestive in that "you may have" missing SPN's, even though the wording of the alert is not.
There is no way to get the Isilon cluster to not miss the SPN's, you can quite the alert to not be bothered by it or, remove it from the event notification rule.
Shane
sluetze
2 Intern
•
300 Posts
0
January 11th, 2016 23:00
Hi Shane,
thanks for the information.
Why does the Isilon not connect the set of smartconnectzonename, accesszone and authentication provider together so only the needed spns are in the domains. This would make much more sense.
I also thought about: what if I have joined my Isilon into two different domains of the same forrest? I would have duplicate SPNs, wouldn't I? This would make it not working.
If I quiet the events i'll not get any notification if one of the SPNs I need really gets lost (i.e. due to mistakes of my admins) also the SPNs get moved when you perform a failover and I would like the Isilon to recognize if the process fails and alert the mistake. This is not possible when there are "unused" SPNs deleted.
from my personal point of view this is a sloppy implementation and should be fixed, if there is no technical reason on these spns.
It even is a security flaw, since I publish information of one of my customers (his hostname, his domain) in the domain of another customer.
Best Regards
-- sluetze
Stdekart
104 Posts
0
January 12th, 2016 06:00
Sluetze,
There have been quite a few questions and concerns that have come up regarding the this. As it is, this is working as designed and would need a FRE (Feature Request for Enhancment) to have the functionality changed.
Please work with your local team to have this filed.
If there are any other questions or concerns I can address please let me know,
Shane
sluetze
2 Intern
•
300 Posts
2
January 12th, 2016 06:00
Shane,
thanks for the reply.
The sentence "works as designed" is one of my most hated.
In my eyes it's more a security bug than a missing feature. But since I can't file any bugs I'm filing the FRE.
-- sluetze