Acronis Files Connect (formerly ExtremeZ-IP) introduces changes to registration of service principal names (SPNs) in cluster environments. These changes can effect clients connecting to Acronis Files Connect using Kerberos authentication.
Prior to version 5.2, Acronis Files Connect would register the SPN against the individual cluster node. In 5.2, this behavior was modified so that registration is performed against the cluster object. For example, the following setup:
Cluster object: CLUSTER01
Node 1: NODE01
Node 2: NODE02
would yield the following SPNs on NODE01:
5.1 and earlier: afpserver/NODE01.example.com
5.2 and later: afpserver/CLUSTER01.example.com
Additionally, starting with Acronis Files Connect 7.0.1, we also register the SPN short name. For this example, we register:
Short name: afpserver/CLUSTER01
Long name: afpserver/CLUSTER01.example.com
These changes allow Macintosh clients to see the same SPN even after cluster failover. Previously, clients would see a new SPN after failover, since the registration would be against the second node of the cluster.
Changes to permissions within Active Directory
Some additional permissions may need to be assigned in Active Directory in order for this new SPN to be registered. By default, individual nodes do not have permission to register an SPN for the cluster object. To make the changes to permissions:
- On the domain controller launch Active Directory Users & Computers.
- Within the view menu enable the "Advanced Features" checkbox.
- Locate the computer object for the cluster virtual server (e.g CLUSTER01).
- Right click it and select properties, then go to security tab.
- Add the computer object for each node of the cluster, e.g. NODE01. Be sure you have the "computers" category checked when searching for the computer object.
- For each node added be sure the following rights are set: "Reset password", "Validated write to DNS Host Name" and "Validated write to service principal name".
Once these changes have been made, the SPN should properly register the next time the Acronis Files Connect service is started. In the event that these permissions changes have not been made, Acronis Files Connect will fail to register the SPN, and will default to the older method of SPN registration.
In the event that the Active Directory changes described above do not allow Acronis Files Connect to register the SPN against the cluster object, please see the Microsoft Knowledge Base article below for more information.