How to Validate AD Cluster Delegation is Ready for Failover and failback of SPNs

How to Validate AD Delegation is Ready for Failover



Use this procedure to validate AD delegation is done correctly.  A common mistake is the computer account delegation.

Understanding how failover works

Failover process requires the target cluster to have AD permissions to manage SPN(s) on the source cluster AD machine account.  The delegation guide sets this up for each cluster machine account to failover in either direction.

If not setup correctly the following issues are frequently seen:

  1. Ldap constraint violation

  2. Ldap permissions error

Cross Cluster SPN delegation test [oneFS 7.x.x.x]


For this test you will need 2 oneFS 7 clusters connected to the same AD. A total of 4 tests will be performed.
  • PROD SELF [add/delete SPN using PROD computer machine account]

  • PROD CROSS [add/delete SPN using DR computer machine account that is using the same AD]

  • DR SELF [add/delete SPN using DR computer machine account]

  • DR CROSS [add/delete SPN using PROD computer machine account that is using the same AD]


Our Test Variables [Your variables may be different]:

  • SPN name: HOST/superna.test.spn.domain.com

  • PROD cluster name: IsiSrc-AG2

  • DR cluster name: Isitgt-AG2

  • AD Domain: ad1.test


PROD SELF SPN Delegation

You will add and delete a test SPN [HOST/superna.test.spn.domain.com] using “eyeglass” user in PROD cluster CLI using the same cluster.


Step 1. Log in to your PROD cluster using “eyeglass” user and issue the following command
           “whoami


Step 2. Add a SPN by using the following command

           “sudo isi auth ads spn add --machinecreds --spn=HOST/superna.test.spn.domain.com --domain=xxx.xxx

[--domain= Enter your Domain name]


Step 3. Check if SPN was created successfully.
           “sudo isi auth ads spn list --machinecreds --domain=xxx.xxx

[--domain= Enter your Domain name]


Step 4. Delete the SPN from the same cluster by issuing the following command

           “sudo isi auth ads spn delete --machinecreds --spn=HOST/superna.test.spn.domain.com --domain=xxx.xxx

[--domain= Enter your Domain name]


PROD CROSS SPN Delegation


In this test you will add a SPN [HOST/superna.test.spn.domain.com] in PROD cluster and delete it from the DR cluster using the advanced isi_classic command.


Step 1. Log in to your PROD cluster using “eyeglass” user and issue the following command
           “whoami



Step 2. Add a SPN by using the following command

           “sudo isi auth ads spn add --machinecreds --spn=HOST/superna.test.spn.domain.com --domain=xxx.xxx

[--domain= Enter your Domain name]



Step 3. Check if SPN was created successfully.
           “sudo isi auth ads spn list --machinecreds --domain=xxx.xxx

[--domain= Enter your Domain name]


Step 4. Log in to your DR cluster using “eyeglass” user and issue the following command
           “whoami


Step 5. Delete the PROD machine account SPN from DR cluster by issuing the following command

           “sudo isi auth ads spn delete --machinecreds --account=xxx$ --spn=HOST/superna.test.spn.domain.com --domain=xxx.xxx

[--account=IsiSrc-AG2 is the Source AD computer machine name we are deleting the SPN from. “$” sign is needed after the AD computer name.]

[--machinecred is needed to authenticate your cluster]

[--domain= Enter your Domain name]

DR SELF SPN Delegation

You will add and delete a test SPN [HOST/superna.test.spn.domain.com] using “eyeglass” user in DR cluster CLI using the same cluster.


Step 1. Log in to your DR cluster using “eyeglass” user and issue the following command
           “whoami


Step 2. Add a SPN by using the following command

           “sudo isi auth ads spn add --machinecreds --spn=HOST/superna.test.spn.domain.com --domain=xxx.xxx

[--domain= Enter your Domain name]


Step 3. Check if SPN was created successfully.
           “sudo isi auth ads spn list --machinecreds --domain=xxx.xxx

[--domain= Enter your Domain name]


Step 4. Delete the SPN from the same cluster by issuing the following command

           “sudo isi auth ads spn delete --machinecreds --spn=HOST/superna.test.spn.domain.com --domain=xxx.xxx

[--domain= Enter your Domain name]

DR CROSS SPN Delegation 


In this test you will add a test SPN [HOST/superna.test.spn.domain.com] in DR cluster and delete it from the PROD cluster using the advanced isi_classic command.


Step 1. Log in to your DR cluster using “eyeglass” user and issue the following command
           “whoami


Step 2. Add a SPN by using the following command

           “sudo isi auth ads spn add --machinecreds --spn=HOST/superna.test.spn.domain.com --domain=xxx.xxx

[--domain= Enter your Domain name]


Step 3. Check if SPN was created successfully.
           “sudo isi auth ads spn list --machinecreds --domain=xxx.xxx

[--domain= Enter your Domain name]


Step 4. Log in to your PROD cluster using “eyeglass” user and issue the following command
           “whoami


Step 5. Delete the DR machine account SPN from PROD cluster by issuing the following command

           “sudo isi auth ads spn delete --machinecreds --account=xxx$ --spn=HOST/superna.test.spn.domain.com --domain=xxx.xxx

[--account=Isitgt-AG2 is the DR AD computer machine name we are deleting the SPN from. “$” sign is needed after the AD computer name.]

[--machinecred is needed to authenticate your cluster]

[--domain= Enter your Domain name]


Cross Cluster SPN delegation test [oneFS 8.x.x.x]

For this test, you will need 2 oneFS 8 clusters connected to same AD. A total of 4 test will be performed.

  • PROD SELF [add/delete SPN using PROD computer machine account]

  • PROD CROSS [add/delete SPN using DR computer machine account that is using the same AD]

  • DR SELF [add/delete SPN using DR computer machine account]

  • DR CROSS [add/delete SPN using PROD computer machine account that is using the same AD]


Our Test Variables [Your variables may be different]:

  • SPN name: HOST/superna.test.spn.domain.com

  • PROD cluster name: ishot-8

  • DR cluster name: iscold-8

  • AD Domain: ad2.test


PROD SELF SPN Delegation

You will add and delete a test SPN [HOST/superna.test.spn.domain.com] using “eyeglass” user in PROD cluster CLI using the same cluster.


Step 1. Log in to your PROD cluster using “eyeglass” user and issue the following command
           “whoami


Step 2. Add a SPN by using the following command

           “sudo isi_classic auth ads spn add --machinecreds --spn=HOST/superna.test.spn.domain.com --domain=xxx.xxx

[--domain= Enter your Domain name]


Step 3. Check if SPN was created successfully.
           “sudo isi_classic auth ads spn list --machinecreds --domain=xxx.xxx

[--domain= Enter your Domain name]


Step 4. Delete the SPN from the same cluster by issuing the following command

           “sudo isi_classic auth ads spn delete --machinecreds --spn=HOST/superna.test.spn.domain.com --domain=xxx.xxx

[--domain= Enter your Domain name]

PROD CROSS SPN Delegation


In this test you will add a SPN [HOST/superna.test.spn.domain.com] in PROD cluster and delete it from the DR cluster using the advanced isi_classic command.


Step 1. Log in to your PROD cluster using “eyeglass” user and issue the following command
           “whoami



Step 2. Add a SPN by using the following command

           “sudo isi_classic auth ads spn add --machinecreds --spn=HOST/superna.test.spn.domain.com --domain=xxx.xxx


[--domain= Enter your Domain name]


Step 3. Check if SPN was created successfully.
           “sudo isi_classic auth ads spn list --machinecreds --domain=xxx.xxx

[--domain= Enter your Domain name]


Step 4. Log in to your DR cluster using “eyeglass” user and issue the following command
           “whoami


Step 5. Delete the PROD machine account SPN from DR cluster by issuing the following command

           “sudo isi_classic auth ads spn delete --machinecreds --account=xxx$ --spn=HOST/superna.test.spn.domain.com --domain=xxx.xxx

[--account=ishot-8 is the PROD AD computer machine name that we are deleting SPN from. “$” sign is needed after the AD computer name.]

[--machinecred is needed to authenticate your cluster]

[--domain= Enter your Domain name]

DR SELF SPN Delegation

You will add and delete a test SPN [HOST/superna.test.spn.domain.com] using “eyeglass” user in DR cluster CLI using the same cluster.


Step 1. Log in to your DR cluster using “eyeglass” user and issue the following command
           “whoami


Step 2. Add a SPN by using the following command

           “sudo isi_classic auth ads spn add --machinecreds --spn=HOST/superna.test.spn.domain.com --domain=xxx.xxx

[--domain= Enter your Domain name]


Step 3. Check if SPN was created successfully.
           “sudo isi_classic auth ads spn list --machinecreds --domain=xxx.xxx

[--domain= Enter your Domain name]


Step 4. Delete the SPN from the same cluster by issuing the following command

           “sudo isi_classic auth ads spn delete --machinecreds --spn=HOST/superna.test.spn.domain.com --domain=xxx.xxx

[--domain= Enter your Domain name]

DR CROSS SPN Delegation


In this test you will add a test SPN [HOST/superna.test.spn.domain.com] in DR cluster and delete it from the PROD cluster using the advanced isi_classic command.


Step 1. Log in to your DR cluster using “eyeglass” user and issue the following command
           “whoami


Step 2. Add a SPN by issuing the following command

           “sudo isi_classic auth ads spn add --machinecreds --spn=HOST/superna.test.spn.domain.com --domain=xxx.xxx


[--domain= Enter your Domain name]


Step 3. Check if SPN was created successfully.
           “sudo isi_classic auth ads spn list --machinecreds --domain=xxx.xxx

[--domain= Enter your Domain name]


Step 4. Log in to your PROD cluster using “eyeglass” user and issue the following command
           “whoami


Step 5. Delete the DR machine account SPN from PROD cluster by issuing the following command

           “sudo isi_classic auth ads spn delete --machinecreds --account=xxx$ --spn=HOST/superna.test.spn.domain.com --domain=xxx.xxx

[--account=iscold-8 is the DR AD computer machine name that we are deleting SPN from. “$” sign is needed after the AD computer name.]

[--machinecred is needed to authenticate your cluster]

[--domain= Enter your Domain name]