We have created clusters that are un-secure and certificate based with success. We are trialing a Domain secured cluster by making the node-to-node communication use a gMSA. The below cluster configuration snippet shows the problematic portion:
"security": {
"ClusterCredentialType": "Windows",
"ServerCredentialType": "Windows",
"WindowsIdentities": {
"ClustergMSAIdentity": "{{ env_domain }}\{{ cluster_gmsa_identity }}",
"ClusterSPN": "{{ cluster_gmsa_spn }}",
"ClientIdentities": [
{
"Identity": "{{ env_domain_short }}\ServiceFabricAdmins",
"IsAdmin": true
},
{
"Identity": "{{ env_domain_short }}\ServiceFabricReadOnly",
"IsAdmin": false
}
]
},
"CertificateInformation": {
"ServerCertificate": {
"Thumbprint": "{{ primary_server_certificate_thumbprint }}",
"X509StoreName": "My"
},
"ReverseProxyCertificate": {
"Thumbprint": "{{ primary_server_certificate_thumbprint }}",
"X509StoreName": "My"
}
}
}
If we supply the ServerCertificate property as shown above the cluster creation process throws many exceptions (non of which seem point to certificate config issues), if I remove the ServerCertificate section (but keep the reverse proxy supplied cert) the cluster creation process is a success.
I want the ServerCertificate there to secure the http channel of communication for the management endpoints. A few points to consider:
- The certificate referenced in the ServerCertificate property was used with success for our Certificate secured Cluster.
- The gMSA has ACL read permissions for the private key in the certificate store.
- The OS the Nodes are running on is Windows 2016 1709 (build 16299.334)
In order to get the cluster up and running correctly though I had to place the gMSA account in the local Administrators group (which seems wrong!!) as mentioned here.
Any thoughts would be greatly appreciated?
See Question&Answers more detail:os