none
HPC Pack 2016: "Identity check failed for outgoing message" Error

    Question

  • Hello MSDN community, I am encountering the following errors when I try to add a node to my local computer cluster using Microsoft HPC Pack 2016:

    • Could not contact node 'NODE-A08' to perform change. Identity check failed for outgoing message. The expected DNS identity of the remote endpoint was 'HEAD-NODE01' but the remote endpoint provided DNS claim 'NODE-A08'. If this is a legitimate remote endpoint, you can fix the problem by explicitly specifying DNS identity 'NODE-A08' as the Identity property of EndpointAddress when creating channel proxy.
    • Could not contact node 'NODE-A08' to perform change. The management service was unable to connect to the node using any of the IP addresses resolved for the node.

    Through my research in to the issue I have found "Identity check failed for outgoing message..." to be a well documented error related to Windows Communication Foundation (WCF). My understanding is that it occurs when the common name (CN) of the endpoint computer's certificate does not match its DNS identity.

    The solutions that I found where lines of code for people writing their own programs, however those solutions do not apply to HPC Pack because I cannot access its source code directly.

    Some additional information specific to my situation:

    • the certificates used by both the head node and the node were issued individually by a trusted domain
    • all computers are connect to one enterprise network
    • the head node's PC name is 'HEAD-NODE01'
    • the node's PC name is 'NODE-A08'
    • these errors occur during the provisioning stage of adding a node
    • the errors are displayed in the provisioning log within HPC Pack 2016's user interface
    • I was successful in pinging each computer from the other
    • both computers display the proper DNS IP address when I use command prompt
    • the head node is running Windows Server 2012 R2
    • the node is preconfigured to be a workstation node and is running Windows 10 Enterprise

    Any help would be greatly appreciated. I have looked for a few days and in a lot of places for an answer, but I have not been very successful. Thank you very much in advance!

    Wednesday, May 17, 2017 5:22 PM

Answers

  • Hi Hunter,

    Your cluster is HPC Pack 2016 cluster, right? you have 3 head nodes or 1 single head node?

    during installation, you use separate certificate for head node and compute node, right? current we have one requirement, you can refer to

    https://technet.microsoft.com/en-us/library/mt791810(v=ws.11).aspx, we need the certificates has the same subject name.

    Microsoft HPC Pack 2016 cluster requires two certificates to secure the communication between the HPC nodes:

    • Certificate for the head node - This certificate is installed on the head node(or head nodes) to secure the Service Fabric cluster and the communication between HPC nodes.
    • Certificate for other nodes - This certificate is installed on the HPC nodes other than head nodes to secure the communication between HPC nodes.

    You can use same certificate for the two purposes, but it is recommended to use separate certificates. These two certificates must meet the following requirements:

    • Have a private key capable of key exchange
    • Key usage includes Digital Signature and Key Encipherment
    • Enhanced key usage includes Client Authentication and Server Authentication
    • The subject names of the two certificates must be same

    Thanks,

    Yongjun

    • Marked as answer by Hunter02 Wednesday, May 24, 2017 3:25 PM
    Monday, May 22, 2017 4:17 AM

All replies

  • Hi Hunter,

    Your cluster is HPC Pack 2016 cluster, right? you have 3 head nodes or 1 single head node?

    during installation, you use separate certificate for head node and compute node, right? current we have one requirement, you can refer to

    https://technet.microsoft.com/en-us/library/mt791810(v=ws.11).aspx, we need the certificates has the same subject name.

    Microsoft HPC Pack 2016 cluster requires two certificates to secure the communication between the HPC nodes:

    • Certificate for the head node - This certificate is installed on the head node(or head nodes) to secure the Service Fabric cluster and the communication between HPC nodes.
    • Certificate for other nodes - This certificate is installed on the HPC nodes other than head nodes to secure the communication between HPC nodes.

    You can use same certificate for the two purposes, but it is recommended to use separate certificates. These two certificates must meet the following requirements:

    • Have a private key capable of key exchange
    • Key usage includes Digital Signature and Key Encipherment
    • Enhanced key usage includes Client Authentication and Server Authentication
    • The subject names of the two certificates must be same

    Thanks,

    Yongjun

    • Marked as answer by Hunter02 Wednesday, May 24, 2017 3:25 PM
    Monday, May 22, 2017 4:17 AM
  • Thanks a bunch! I don't recall reading that particularly important instruction:

         "The subject names of the two certificates must be same"

    Thank you for pointing this out :)

    Wednesday, May 24, 2017 3:28 PM