Make sure you have the following prerequisites to successfully configure Kerberos authentication for ScaleArc in active-passive mode using Elastic Load Balancer (ELB):
- Two AMI instances launched with ScaleArc image
- AD/KDC, DNS, and SQL servers
- AWS instances setup in a single domain
- AD, KDC, DNS (with reverse lookup) and NTP servers configured
Configuration can broadly split into the following steps:
- Configure ScaleArc in Active-Passive HA
- Configure ScaleArc for Kerberos
- Configure AWS Elastic Load Balancer (ELB) for ScaleArc HA
- Configure Service Principal Name (SPN) for created ELB
The following section discusses each step in detail.
Step 1: Configuring ScaleArc in Active-Passive HA
The following KB article: https://support.scalearc.com/kb/articles/2388-info outlines the steps for configuring ScaleArc in Active-Passive HA
Step 2: Configuring ScaleArc for Kerberos
The following page in the administrator’s guide outlines the steps for configuring ScaleArc for Kerberos: Create a Kerberized cluster.
Step 3: Configuring AWS Elastic Load Balancer with ScaleArc HA
The following KB article: https://support.scalearc.com/kb/articles/2230-aws-elb-with-active-active-and-active-standby-scalearc outlines the steps for configuring AWS ELB with ScaleArc HA
Step 4: Configuring Service Principal Name (SPN) for created ELB
- Apart from the DNS name, ELB will have two Internal IP's mapped through which traffic will be sent to ScaleArc clusters. These internal IP's can be obtained by configuring ELB health check to 1433 (so traffic will be sent to cluster and internal IP's can be noted from ScaleArc's query logs). Make a note of the IPs and then revert ELB health check port back to the original.
- Create single DNS hostname with reverse lookup entries for two ELB Internal IP's. This is important so that a single DNS hostname resolves both of the IP's.
- Register Service Principal Name (SPN) for ELB internal DNS for MSSQLSvc on AD for Active node of ScaleArc machine account (ScaleArc node from which AD join is performed).
- If traffic needs to be sent using ELB external DNS, register Service Principal Name (SPN) for ELB external DNS for MSSQLSvc on AD for active node of ScaleArc machine account (ScaleArc node from which AD join is performed).
Once the SPN is registered to send Kerberos auth traffic through ELB using internal DNS or external DNS, perform ScaleArc HA switchover/failover. Kerberos traffic should be successful as other ScaleArc node will be promoted as active node.
If more than one cluster needs to be configured using a different port (1436) the steps below should be repeated.
1. SPN Registration to create Kerberos Cluster
- Register SPN for MSSQLSvc with desired port (1436)
- Create Kerberos cluster on ScaleArc Active node
- Configuring AWS Elastic Load Balancer (ELB) for ScaleArc HA
Add Listener configuration: Select protocol as TCP, Load Balancer Port as 1436, Instance Protocol as TCP and Instance Port as 1436
- Configuring Service Principal Name (SPN) for created ELB for required port.
Register SPN for internal & external ELB with 1436 port.
Note: In case of active-passive HA on cloud (configured will ALL IP), user is recommended to perform Kerberos related operations from ScaleArc node on which AD join is performed. For example, Kerberised cluster creation and Kerberos auth flag change.