Limitations on implementing Single Sign-On (also referred to as Secure Clustering) in Storage Foundation for Windows High Availability, also referred to as Veritas Cluster Server

book

Article ID: 100018005

calendar_today

Updated On:

Resolution

The SingleSign-On feature allows Veritas Cluster Server (VCS) to take advantage of user accounts that exist in Active Directory, rather than relying on VCS user accounts from the main.cf configuration file.  
 
Users from the Active Directory (AD) who are assigned a role (such as Group Operator, or Cluster Guest) can log into the VCS Java GUI using their Active Directory account details.
 
Single Sign-On(SSO) relies on Veritas Authentication Services (VxAT or VxSS) which is installed as part of a standard VCS installation.  
 
To configure an existing cluster to use Single Sign-On, run the VCS Configuration Wizard (From an Admin command prompt, run "vcw" without quotes to launch the wizard). For more information on using the VCS Configuration Wizard, see the Veritas Cluster Server Administrator's Guide available at  https://sort.veritas.com/documents
 
Once SingleSign-On is enabled, use the following process to add users from Active Directory:
 
1. Log in to the VCS Java GUI using an Active Directory account that is a member of the Local Administrators group.
 
NOTE: The members of the local Administrators group are granted permissions to VCS that exceed the Cluster Administrator role, eg: The ability to start or stop a cluster.  This is true whether or not Single Sign-On is enabled
 
2. Click File-> User Manager
 
3. In the User Manager, click New User
 
4. Add a User account that exists in Active Directory and use the format USERLOGONNAME@NETBIOSDOMAINNAME.  
 
For example, if a user called John Smith has an account "jsmith" in the "internal.example.com" domain, add the user in this form: JSMITH@INTERNAL
 
5. Select one or more roles for the user.
 
6. Exit User Manager, save and close the cluster configuration.
 
Note:The format of the user account is important.  If a user is specified using the fully qualified domain name, the roles assigned to the user will be ignored and the user will only ever be granted Cluster Guest (read-only)access.  
 
For example, if JSMITH@INTERNAL.EXAMPLE.COM were added, the JohnSmith user would only ever be granted Cluster Guest access.
 
If the account is not specified in upper case letters, then roles other than Cluster Administrator will be ignored.  
 
For example, if jsmith@internal were added as a Group Administrator, the user would only be granted Cluster Guest access.  If the same user were added as a Cluster Administrator, the user would be granted Cluster Administrator access.
 
 

 

Issue/Introduction

Limitations on implementing Single Sign-On (also referred to as Secure Clustering) in Storage Foundation for Windows High Availability, also referred to as Veritas Cluster Server
Powered by Wolken Software