How to pass windows credentials to hpc 2012 on job.submit API RRS feed

  • Question

  • Hi

    Is it possible to pass Window credentials (domain user) directly to job.Submit API?

    The following parameters throw the same exception
    scheduler.SubmitJob(job, @"DOMAIN_A\USER1", null);              
    scheduler.SubmitJob(job, @"DOMAIN_A\USER1", "*");              

    Authentication failure: System error. Please check your credentials and try again.


    Friday, August 28, 2015 6:08 AM

All replies

  • I suppose you are using HPC Pack 2012 R2 and later version.

    What do you mean windows credentials here? IScheduler.SubmitJob takes the username and password directly. If you put a null for the password, the system will try to check whether there is cached credential for user "DOMAIN_A\USER1" under your account, if not, it will promo for password.

    Qiufang Shi

    Friday, August 28, 2015 9:17 AM
  • Hi Shi,

    Thanks for the reply.

    How easily can we update the cached credential for user "DOMAIN_A\USER1" or ensure the credential in cache in code? Ultimately, we like user to submit job without any user interaction.



    Monday, August 31, 2015 12:30 AM
  • You can check command "hpccred setcreds" for how to set up credential cache in HPC cluster. But this command has to be run by the job owner. Thus please check in your case when the job owner is the same as job runas user (Job owner is who connects to the scheduler and do the job submission, job runas user is the account that HPC cluster will use on the computenode to run your task command). If they are same, what admin need to do is: log on domain_a\user1, run hpccred setcred ....

    And other alternative ways: In Windows Server 2012 R2 Update 2, we support "Kerberos Constrained Delegation", you can submit the job on behalf of your user so that your user won't need to provide job run as user credential, here is what you need to do:

    1. Configure delegation

    2. Write your service code that can submit jobs on behalf of your user. Code sample:

    1.      private static void ImpersonateAndSubmitJob(string userPrincipalName)

    2.      {

    3.          var identity = new WindowsIdentity(userPrincipalName);

    4.          using (var context = identity.Impersonate())

    5.          {

    6.              var impersonatedIdentity = WindowsIdentity.GetCurrent(true);

    7.              if (impersonatedIdentity != null)

    8.                  Console.WriteLine("Submitting job as {0} {1}", impersonatedIdentity.Name, impersonatedIdentity.ImpersonationLevel);

    9.              else

    10.                  Console.WriteLine("No Impersonated Identity");


    12.              using (_scheduler = new Scheduler())

    13.              {

    14.                  _scheduler.Connect(_headNode);

    15.                  _scheduler.SetInterfaceMode(false, new IntPtr(-1));

    16.                  var job = _scheduler.CreateJob();

    17.                  job.Name = "ping_" + DateTime.Now.ToString("yy-MM-dd HH:mm:ss");

    18.                  job.MaximumNumberOfCores = 1;


    20.                  var task = job.CreateTask();

    21.                  task.CommandLine = "c:\\Windows\\System32\\Ping.exe localhost -n 1";

    22.                  job.AddTask(task);

    23.                  _scheduler.SubmitJob(job, _runAsUserName, _runAsPassword);

    24.                  _scheduler.Close();

    25.              }

    26.              context.Undo();

    27.          }

    Of course, you can also build your middle ware using this API: https://msdn.microsoft.com/en-us/library/hh966949(v=vs.85).aspx

    Qiufang Shi

    Monday, August 31, 2015 12:53 AM
  • Hi Shi,

    Thanks for the code.

    Ideally, we prefer the application user domain_A\user1 login and then submit the job without knowing or configuring _runAsUserName and _runAsPassword. In my case, job owner and job runner is the same i.e. domain_A\user1. Is there any API to do what the command does i.e. hpccred setcreds?



    Monday, August 31, 2015 5:13 AM
  • https://msdn.microsoft.com/en-us/library/microsoft.hpc.scheduler.ischeduler.setcachedcredentials(v=vs.85).aspx  This API should help for your scenario.

    Qiufang Shi

    Tuesday, September 1, 2015 1:21 AM