Summary:
Acronis Files Connect (formerly ExtremeZ-IP) can register service principal names (SPNs) in cluster environments when Kerberos login support is enabled. These changes can effect clients connecting to Acronis Files Connect using Kerberos authentication.
Description:
Acronis Files Connect will register SPNs against the role object. For example, when using local SYSTEM as the File Connect service account, the following setup:
Role object: ROLE01
Node 1: NODE01
Node 2: NODE02
domain: example.com
would yield the following SPNs on the ROLE01 object:
afpserver/ROLE01
afpserver/ROLE01.example.com
Changes to permissions within Active Directory
Some additional permissions may need to be assigned in Active Directory in order for this new SPN to be registered. By default, individual nodes do not have permission to register an SPN for the cluster object. To make the changes to permissions:
- On the domain controller launch Active Directory Users & Computers.
- Within the view menu enable the "Advanced Features" checkbox.
- Locate the computer object for the cluster virtual server (e.g ROLE01).
- Right click it and select properties, then go to security tab.
- Add the computer object for each node of the cluster, e.g. NODE01. Be sure you have the "computers" category checked when searching for the computer object.
- For each node added be sure the following rights are set: "Reset password", "Validated write to DNS Host Name" and "Validated write to service principal name".
Once these changes have been made, the SPNs should properly register the next time the Acronis Files Connect service is started. In the event that these permissions changes have not been made, Acronis Files Connect will fail to register the SPNs and Kerberos support will not work as expected.
In the event that the Active Directory changes described above do not allow Acronis Files Connect to register the SPN against the role object, please see the Microsoft Knowledge Base article below for more information.