locked
Using Windows Authentication to submit jobs. RRS feed

  • Question

  • I developed an app that uses the APIs to submit jobs to the HPC cluster. However, when this when used to submit a jobs from a client requires me to pass my credentials as a string. This whole approach undermines the security when using my application.

    I am aware of the "cluscfg setcreds" which can be used to cache the credentials and thereafter use the application. But I find it to be a very crude way of getting my job done.

    So is there a way to pass the credentials for the job submission via windows authentication or any other means?

    Thanks in advance.

    Regards,

    Sridutt

    Wednesday, May 4, 2011 7:24 AM

Answers

  • H Sridutt,

    Answering your 1st question - there is a limitation of Kerberos ticket lifetime. Windows HPC system is operating with the assumption, that your job may stay in the queue for while. In such case additional logon maybe required at job startup and so the user password or softcard certificate (SP2) is stored on the server.

    Thanks,
    Łukasz


    Tuesday, May 24, 2011 12:39 AM
  • Hi Sridutt

    Try using "SetInterfaceMode" - 

     

    ( http://msdn.microsoft.com/en-us/library/microsoft.hpc.scheduler.ischeduler.setinterfacemode(VS.85).aspx )

    Then you will see the same window that ask for the user credentials  as you see at the cluster manager .

    Regards , 

    Shai

     

    void SetInterfaceMode (
    
     bool isConsole,
    
     IntPtr hwnd
    
    )


    Heh Shai,

    Thanks alot it worked and thus answers my second question. Can you please suggest something for my 1st question?

    Thanks,

    Sridutt

    Tuesday, May 17, 2011 6:49 AM

All replies

  • Hi Sridutt,

      It is required for user to provide password to run the job on the cluster (Which will be used when running the task on the node).

      From Windows 2008 R2 SP2, smartcard authentication will be supported. Please check what's new in SP2 beta (http://technet.microsoft.com/en-us/library/hh184314(WS.10).aspx)

    Thanks,

    Qiufang


    Qiufang Shi
    Tuesday, May 10, 2011 1:17 AM
  • Hi Qiufang,

    Thanks for the info. But, I have 2 more questions for you.

    1. Can I know why windows authentication is not supported? Because as from my perspective it seems to be a viable option, because if you are developing an app the prequisite for running that app is to use "cluscfg setcreds".
    2. Also, if I use the Cluster Manager wizard to submit a job. Incase my credentials arent cached it prompts me for my credentials, the same is true if I create a console app, I am asked to key in the credentials in the command window. However, while I use the APIs in code the Scheduler.Connect() requires me to specify the headnode followed by the credentials as a string which undermines the whole security perspective. So is there a way by which incase I specify the credentials as null in Scheduler.Connect() I could prompt the user of the app to key in the credentials just like the ClusterManager Wizard or in case of the console app?

    Thanks in advance.

    Regards,

    Sridutt

    Friday, May 13, 2011 10:20 AM
  • Hi Sridutt

    Try using "SetInterfaceMode" - 

    void SetInterfaceMode (
      bool isConsole,
      IntPtr hwnd
    )

    ( http://msdn.microsoft.com/en-us/library/microsoft.hpc.scheduler.ischeduler.setinterfacemode(VS.85).aspx )

    Then you will see the same window that ask for the user credentials  as you see at the cluster manager .

    Regards , 

    Shai

     

    Monday, May 16, 2011 11:09 AM
  • Hi Sridutt

    Try using "SetInterfaceMode" - 

     

    ( http://msdn.microsoft.com/en-us/library/microsoft.hpc.scheduler.ischeduler.setinterfacemode(VS.85).aspx )

    Then you will see the same window that ask for the user credentials  as you see at the cluster manager .

    Regards , 

    Shai

     

    void SetInterfaceMode (
    
     bool isConsole,
    
     IntPtr hwnd
    
    )


    Heh Shai,

    Thanks alot it worked and thus answers my second question. Can you please suggest something for my 1st question?

    Thanks,

    Sridutt

    Tuesday, May 17, 2011 6:49 AM
  • H Sridutt,

    Answering your 1st question - there is a limitation of Kerberos ticket lifetime. Windows HPC system is operating with the assumption, that your job may stay in the queue for while. In such case additional logon maybe required at job startup and so the user password or softcard certificate (SP2) is stored on the server.

    Thanks,
    Łukasz


    Tuesday, May 24, 2011 12:39 AM