PowerScale: OneFS: How to create SPN accounts to allow Kerberos authentication using SmartConnect DNS entries

Summary: Article on how to create SPN accounts to allow Kerberos authentication using SmartConnect DNS entries.

This article applies to This article does not apply to This article is not tied to any specific product. Not all product versions are identified in this article.
Check out other resources

Instructions

Introduction

In order to connect to a cluster by name without providing a username and password in an Active Directory-based environment, Kerberos authentication must be used. 

When accessing a cluster using Kerberos authentication the client establishes a Kerberos ticket with the cluster. This is based on the DNS name that the client is using to connect. By default the cluster only registers the cluster name for valid Kerberos tickets. This might cause the Kerberos ticket to be refused when using SmartConnect based DNS entries to connect. It might also force the user to reenter their username and password to access the cluster.




 

Procedure

To support multiple Kerberos tickets, you must register additional SPN (service principal name) accounts for the cluster computer on the Active Directory Domain. You can do this using the isi auth command. This operation is not performed automatically as it requires an administrator account on the Active Directory Domain.

For each DNS name, two SPN entries must be created.

To register SPN accounts:

  1. Run the following command from the command line to list the SmartConnect Zones that are configured on the cluster: 
    isi networks list pools
  2. Run the following command to list the SPN names that are registered, replacing <DNS domain> with the fully qualified domain name of the DNS domain: 
    isi auth ads spn list --domain=<DNS domain>
  3. Compare the list of SmartConnect Zones with the list of SPN names to determine which SPN accounts must be registered.
     

    For example, if you have a SmartConnect Zone named dnsnl.domain.local, check the SPN list to see if there are entries for that DNS name. There should be two entries for each SPN account registered in the Active Directory Domain

  4. If the required SPN account entries do not exist, run the following commands to add them, where <Administrator> is a user account that has administrative rights to the domain, <cluster.domain.local> is the DNS name used to connect to the cluster and <domain name> is the fully qualified domain name server: 
    isi auth ads spn create --user=<Administrator> --spn=cifs/<cluster.domain.local> --domain=<domain name>
isi auth ads spn create --user=<Administrator> --spn=host/<cluster.domain.local> --domain=<domain name>

     

    IMPORTANT!
    You must specify an AD administrator username when adding the SPNs. If you fail to do so, you will receive the following error:

    LdapError: Failed to modify attribute[19]

    After you run the command, you will be prompted to enter the administrator password.

  5. Run the following command to confirm that the SPN accounts you created are now listed: 
    isi auth ads spn list --domain=<DNS domain>

Additional Information

Additional information

You can also remove existing SPN accounts using the isi auth command.

To remove SPN accounts, run the following commands, replacing <Administrator> with a user account that has administrative rights to the domain and replacing <cluster.domain.local> with the DNS name with the name you want to remove:

isi auth ads spn delete --user=<Administrator> --spn=cifs/<cluster.domain.local>
isi auth ads spn delete --user=<Administrator> --spn=host/<cluster.domain.local>

 

Affected Products

Isilon

Products

Isilon, PowerScale OneFS
Article Properties
Article Number: 000022042
Article Type: How To
Last Modified: 28 Nov 2025
Version:  6
Find answers to your questions from other Dell users
Support Services
Check if your device is covered by Support Services.