none
Using a gMSA with Windows HPC

    Question

  • I'm wanting to use a Group Managed Service Account to run jobs on Windows HPC (since the application is running inside a Windows Container). I've added the gMSA group to the HPC Users but when I try to connect I get:

    HTTPError: 401 Client Error: Unauthorized for url

    Are there any known problems connecting to Windows HPC using a gMSA? Is is something that *should* work? Is there any documentation for getting it to work?

    Thanks,

    Dave


    Monday, 6 August 2018 4:47 AM

All replies

  • Hi,

      Could you elaborate more on your scenario? Whether you are using gMSA to connect to the scheduler, or using this account as job "Runas" account?

      And currently we only support linux docker in HPC Pack, windows container is on the roadmap to support. 


    Qiufang Shi

    Monday, 6 August 2018 8:05 AM
  • I'm trying to connect to the scheduler using a gMSA. My application is inside a Windows Container so is connected to the AD domain as the gMSA account. I would like my app to be able to connect to the scheduler and submit jobs but it seems authorization fails despite the group which the gMSA belongs to being added to the HPC Users.

    This is a separate issue to being able to run containerised jobs on Windows HPC - something I'm also very interested in. It's obviously possible to do so with a `docker run` command but then shutdown doesn't work, and the container doesn't adhere to any affinity.

    Monday, 6 August 2018 11:49 AM
  • I suppose windows container can't do domain join. Thus you can't use a traditional domain account to connect to HPC Pack. gMSA is new to us, we will take a check.

    Meanwhile, if you're using HPC Pack 2012 R2, you shall be able to use our REST API with basic authentication to connect to the cluster and submit jobs

    And if you're using HPC Pack 2016 Update 1, you shall be able to use our Azure AD integration https://docs.microsoft.com/en-us/azure/virtual-machines/windows/hpcpack-cluster-active-directory

    For the second issue, we will implement similar behavior to our linux docker support http://download.microsoft.com/download/B/D/B/BDB8782A-FAAF-457D-AF3D-0B157FEEDF4C/Using%20Docker%20in%20HPC%20Pack.pdf 

    - User just needs to specify CCP_DOCKER_IMAGE env for the task and we will manage the docker run and shutdown as well as affinity, security, multiple docker instance task.


    Qiufang Shi

    Tuesday, 7 August 2018 2:24 AM
  • I'm running 5.1.6114.0. Our HPC cluster is currently on premises and not in Azure (yet).

    > gMSA is new to us, we will take a check

    Thanks - it would be good to know if it's unsupported or if I'm somehow configuring it wrong on my end.

    Since we're running Windows Containers I'll look forward to Windows docker support in future! :)


    Tuesday, 7 August 2018 10:47 AM