HPC and Kerberos Double Hop RRS feed

  • Question

  • I have what I assume is a Kerberos double hop issue. I am attempting to use the API on a C# MVC based intranet site. Everything worked fine while developing on my local machine, but having deployed to our test IIS server I now can no longer connect to HPC from a browser on my workstation with a message saying "Could not connect to the scheduler. The user may not be authorized to connect to the scheduler or the scheduler service might not be running". Doing an RDP to the IIS server itself and running a browser session from there works fine.

    We already have resolved the double hop issue with respect to SQL, which is now getting the credentials passed through, and therefore the IIS server is trusted for delegation in AD, and SPNs for SQL set up.

    I'm assuming it must be possible to overcome the double hop issue with HPC as well, and that logically I can't be the first person to hit this issue. I'm also guessing the bit that's missing is a suitable SPN at the headnode (all the HPC services are currently running as local system, although I can obviously change this if necessary), but I'm struggling to find any information as to how to do this.

    Tuesday, January 27, 2015 11:54 AM

All replies

  • Hi,

      We have addressed this issue recently, a QFE for Windows HPC Pack 2012 R2 Update 1 will be released soon with this fix (Next month).

    Qiufang Shi

    Wednesday, January 28, 2015 3:13 AM
  • But meantime as a short term workaround, you can try: Scheduler.ConnectServiceAsClient in your middle service to submit job to scheduler on behalf of user, where you need provide administrator credential for connecting to scheduler.

    Qiufang Shi

    Wednesday, January 28, 2015 3:43 AM
  • The QFE is available here now: http://www.microsoft.com/en-us/download/details.aspx?id=45876

    Qiufang Shi

    Monday, March 16, 2015 8:37 AM