locked
Running HPC Job Manager/Cluster Manager from outside AD domain RRS feed

  • Question

  • I'm trying to use WIN HPC 2008 on a small cluster. My strength is not Win administration, but rather development.
    (This was the first time I have setup an AD domain, and I know nearly nothing about it.)

    To create the cluster I did have to configure an Active Directory domain, which went fine, but now when I try to run Job or Cluster manager from my development machine, which is configured for a workgroup, not the domain, I get the following error:
    "HPC Job Manager: The server has rejected the client credentials."

    I suspect this may be related to the fact my dev. box is not part of the domain.

    Is there a way to get this to work without forcing my development box to join the clusters domain?


    Thank you,
    Cameron
    PS
    Is this the best forum to ask these types of questions?
    Tuesday, October 27, 2009 6:43 PM

Answers

  • Garapa,
    We allow you to cache the credentials used for submission when you submit (you should be prompted).  Unfortunately, I think the caching may not work for clients which are not joined to the domain.  My best advice for you in that case is to submit by TS'ing to the HN or a domain-joined client machine.

    There may be more helpful info in our security doc: http://technet.microsoft.com/en-us/library/cc707383(WS.10).aspx

    Thanks,
    Josh
    -Josh
    Thursday, November 19, 2009 1:17 AM
    Moderator

All replies

  • Cameron,
    Basically you need to tell your Dev Box what credentials to use when connecting to a domain machine (you'll want it to use your domain credentials).  To do this, go to Control Panel -> User Accounts -> Manage Windows Credentials (the names of those might change depending your OS version) and an entry for your head node, specifying your domain credentials should be used for connections to the HN.  That should do it!

    Thanks,
    Josh

    PS This is a great place to post these kinds of questions!
    -Josh
    Tuesday, October 27, 2009 9:11 PM
    Moderator
  • Josh,

    Thank you for your prompt reply. I've been dealing with a few issues which has kept me from trying this properly.

    The advice you gave me got me past the "rejected client credentials", but both job managers are trying to
    use my logged-in non-directory account to authorize, and it doesn't work well.


    So, for now, I've added my dev. box to the domain, although I'm not sure I will keep it that way.

    But I am still using my non-domain user account, and really don't want to switch it to a domain account.

    It turns out that given your directions I can now use the HPC Job Manager from my devbox.

    Although there is one hitch, whenever I submit a job, the manager asks for my credentials,
    it has everything filled out with my devbox credentials.  ie, Username: devbox\user, Password: xxxx

    But the devbox\user isn't an AD account, I have to give credentials for an account in the domain,
    this is all fine and good, and it allows me to submit jobs, but its anoying to have to re-enter a domain account
    every time I submit a job.

    There is s related problem which is a bigger problem. 
    When I use the command line job.exe tool to submit jobs, it will not let me change the user submitting the job,
    but uses my current credentials (devbox\user), which is not a domain account, thus I cannot submit jobs
    using job.exe, which is important to me.

    Is there an environment variable or another way I can tell both the HPC Job Manager and job.exe to
    use a particular domain account rather than defaulting to the logged in non-domain account?
    Or, do you have another recommendation?

    Thank you for all your help in advance.

    Cameron
    Friday, October 30, 2009 5:29 PM
  • Josh, <or anybody else in the know> ...

    Ok, I started reading the documentation (signs of a desperate man!), and I found the options for job.exe, ie job submit /user:domain\username <command>

    So, at least I have a work around, hopefully I can find an environment variable or file I can change on my devbox
    to permanently set this behavior so it doesn't need to be on each command line, but its a good start!

    Do you know how I can permanently set the domain\username of the user to authenticate against more permanently?

    Thank you
    Friday, October 30, 2009 6:42 PM
  • Garapa,
    We allow you to cache the credentials used for submission when you submit (you should be prompted).  Unfortunately, I think the caching may not work for clients which are not joined to the domain.  My best advice for you in that case is to submit by TS'ing to the HN or a domain-joined client machine.

    There may be more helpful info in our security doc: http://technet.microsoft.com/en-us/library/cc707383(WS.10).aspx

    Thanks,
    Josh
    -Josh
    Thursday, November 19, 2009 1:17 AM
    Moderator
  • That was a good post. Nice discussion is going on. Thanks for providing such useful information. It will be very useful for the readers. I found very useful by visiting this site.  http://cloudjobs.net
    Wednesday, December 16, 2009 6:19 AM