Applying Kerberos Authentication in a Clustered Environment

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

Carefully plan your use of Kerberos authentication in a server cluster. By default, Kerberos authentication support for the network name resource is turned off. When Kerberos authentication support is enabled, the Cluster service account must be able to create a virtual computer object in Active Directory.

By default, all users have Add workstations to the domain permissions,which allows the creation of computer objects in Active Directory.

Note

  • By default, authenticated users can join up to ten machine accounts to the domain. This limit does not apply to members of the Administrators or Domain Admins groups, and to those users who have delegated permissions on containers in Active Directory to create and delete computer accounts.

If the Add workstations to the domain permission has been removed from the Cluster service account, before enabling Kerberos authentication, a member of the Domain Administrators group must perform one of the following actions:

  • Grant the Cluster service account the Create Computer Objects permission on the Computers organizational unit in Active Directory.

  • Create the computer object manually in Active Directory before enabling Kerberos authentication. If the object is manually created, the Cluster service account must have Write all properties access permission to allow it to manipulate the computer object.

Caution

  • Although the Network Name resource supports the changing of its Name property, many services, such as Message Queuing and Microsoft® SQL Server™ 2000, do not support changing the Network Name resource Name property. Do not change this property unless you fully understand the implications of doing so. In some cases, changing the Network Name resource Name property can lead to loss of data or service failure.

Before you allow clients to access a server cluster, or before failing over the resources to another node, ensure that the domain controllers have replicated newly created computer objects associated with Network Name resources. Until replication is complete, clients might fail to authenticate, or they could authenticate with the default NTLM authentication protocol and not with Kerberos authentication. One way to avoid replication issues with your clients is to not notify clients that the service is available until you are sure replication is complete. The amount of time it takes your directory to replicate information depends on many factors, such as the topology and the amount of network traffic. If you are not sure of the time necessary to allow for replication, replication can be forced with tools such as Ntdsutil.exe. For more information about Ntdsutil.exe, see "Using Ntdsutil" in Help and Support Center for Windows Server 2003.

After you enable Kerberos authentication on a server cluster, do not disable Kerberos authentication on a virtual server without knowing the effects the disabling will have on other services that use that virtual server. Microsoft® Message Queuing (MSMQ), for example, relies on the presence of a virtual computer object and ceases to function if its dependent Network Name resource has Kerberos authentication support disabled.

Use extreme care when you remove Kerberos authentication from a Network Name resource. When you disable Kerberos authentication from a Network Name resource, the computer object is disabled, leaving the system administrator with an explicit decision to delete the computer object. If the object remains in Active Directory, the Network Name resource does not go online. If the computer object is deleted, properties attached by applications that can use Active Directory are also deleted, and the applications might no longer function correctly.

For more information about enabling Kerberos authentication on a virtual server, see "Enable Kerberos authentication for virtual servers" in Help and Support Center for Windows Server 2003, or see articles Q302389, "Description of the Properties of the Cluster Network Name Resource in Windows Server 2003," and Q307532, "How to Troubleshoot the Cluster Service Account When It Modifies Computer Objects," in the Microsoft Knowledge Base. To find these articles, see the Microsoft Knowledge Base link on the Web Resources page at http://www.microsoft.com/windows/reskits/webresources.