Running SOA tasks on workstation nodes using Smart Card authentication RRS feed

  • Question

  • Hi,

    I have a HPC Pack 2012 SOA setup utilizing idle desktop computer nodes. But because of  a new policy all users will have to log in to their desktop computers using Smart Cards (mandatory). This makes all service calls fail and returns the error  message: "Error from node: DESKTOP-764:Smartcard logon is required and was not used".

    Is there any way to work around this problem? It is going to make all desktop nodes unusable for me in the future!

    The solution posted  here http://technet.microsoft.com/en-us/library/hh184316(v=ws.10).aspx#BKMK_softcard handles how a user can submit jobs by Smart Card authentication. But what I want to solve is how to let HPC execute tasks on these nodes utilizing Smart Cards.

    Is there a way to run jobs as a special System Account instead of as the local user? 

    Any input is greatly appreciated!

    • Edited by yok0 Friday, March 22, 2013 7:54 AM
    Friday, March 22, 2013 7:54 AM

All replies

  • Question related to the same problem:

    What is the actual authentication mechanism used to execute a job on a workstation node? Under what credentials are jobs run on nodes, is it configurable?

    Friday, March 22, 2013 10:38 AM
  • I have the same question - "Under what credentials are jobs run on nodes, is it configurable?"

    When a user submits a job to the cluster, under which account do the workstation nodes run the SOA job under? Should the user be part of some group across the entire cluster?

    how do the credentials differ if

    1) DLL is locally deployed to the node

    2) centrally deployed (assuming i take care of the caspol related stuff).

    Thursday, June 2, 2016 2:48 AM
  • Hi,

      For a job in the scheduler system (Both batch or SOA job), there are two account associated with the job.

    1. Job Owner: This is who connects to the scheduler and submit the job to the system

    2. Job Runas User: this is the credential provided by the job owner when he submits the job (Job owner can also set the credential through tool hpccred.exe). During task execution on the compute node or workstation, the scheduler will use this credential to do a local user logon, and start the task execution command with that user token. (And, if the task gets run in the cloud resource, the task will get executed under local account)

    To submit a job, the user has to be in the HPCUser's group on the scheduler, Runas User has to be in the local user group of all the compute nodes (requires local log on permission).

    For your question, the credential in these two scenarios should be no difference as long as they have the read access.

    Qiufang Shi

    Thursday, June 2, 2016 3:22 AM
  • Thanks -

    So what's the best location to copy the DLL files locally to (for local deployment?

    1) C:\<SomeFolder> --> I think c:\ is restricted from windows 7 onwards

    2) profile folder --> Does not exist for the nodes other then the user's node

    3) common folder --> if so, where?

    Too, for central deployment, will all the DLL's be loaded into memory or will they be copied to a temp location on each of the workstation nodes?

    Thursday, June 2, 2016 4:18 AM
  • Service dll should be deployed by admin and the location is specified in the service registration file.

    Admin simply do a clusrun to copy the assembly to the local dir on all compute nodes. 

    If the dll is small, putting the assemblies in a share folder is also acceptable. I think there is local cache after your first load on the workstation depends on your SMB share configuration.

    Qiufang Shi

    Thursday, June 2, 2016 2:56 PM