我们创建了不安全且基于证书的群集,并取得了成功。我们通过使节点到节点通信使用gMSA来试验域安全集群。以下群集配置代码段显示了有问题的部分:
"security": {
"ClusterCredentialType": "Windows",
"ServerCredentialType": "Windows",
"WindowsIdentities": {
"ClustergMSAIdentity": "{{ env_domain }}\\{{ cluster_gmsa_identity }}",
"ClusterSPN": "{{ cluster_gmsa_spn }}",
"ClientIdentities": [
{
"Identity": "{{ env_domain_short }}\\ServiceFabricAdmins",
"IsAdmin": true
},
{
"Identity": "{{ env_domain_short }}\\ServiceFabricReadOnly",
"IsAdmin": false
}
]
},
"CertificateInformation": {
"ServerCertificate": {
"Thumbprint": "{{ primary_server_certificate_thumbprint }}",
"X509StoreName": "My"
},
"ReverseProxyCertificate": {
"Thumbprint": "{{ primary_server_certificate_thumbprint }}",
"X509StoreName": "My"
}
}
}
如果我们提供如上所示的ServerCertificate属性,则群集创建过程会抛出许多异常(其中任何一个似乎都指向证书配置问题),如果我删除ServerCertificate部分(但保留反向代理提供的证书)集群创建过程是成功的。
我希望ServerCertificate在那里保护管理端点的http通信通道。需要考虑几点:
为了让群集正常运行,我必须将gMSA帐户放在本地管理员组中(这看起来不对!!),如上所述here。
任何想法都会受到高度赞赏?
答案 0 :(得分:0)
您可以尝试提供一些权限,例如
计算机配置\ Windows设置\安全设置\ 本地策略\用户权限分配\作为服务登录
计算机配置\ Windows设置\安全设置\ 本地策略\用户权限分配\以批处理作业登录
通过当地政策编辑。如果您查看这些组,您将看到已包含在这些本地组中的Administrators组,而Users组(因为gmsa是一般帐户)则不会。因此,如果您将gmsa包含在这些本地组中,该帐户将获得作为服务运行的权限(服务结构看起来像服务本身)
{
"name": "yosfcl",
"clusterConfigurationVersion": "1.0.1",
"apiVersion": "10-2017",
"nodes": [
{
"NodeName": "yv1-sf",
"NodeTypeRef": "NodeType0",
"IPAddress": "yv1-sf",
"FaultDomain": "fd:/dc1/r1",
"UpgradeDomain": "UD1"
},
{
"NodeName": "yv2-sf",
"NodeTypeRef": "NodeType0",
"IPAddress": "yv2-sf",
"FaultDomain": "fd:/dc1/r2",
"UpgradeDomain": "UD2"
},
{
"NodeName": "yv3-sf",
"NodeTypeRef": "NodeType0",
"IPAddress": "yv3-sf",
"FaultDomain": "fd:/dc1/r3",
"UpgradeDomain": "UD3"
}
],
"properties": {
"diagnosticsStore":
{
"metadata": "Please replace the diagnostics file share with an actual file share accessible from all cluster machines. For example, \\\\machine1\\DiagnosticsStore.",
"dataDeletionAgeInDays": "21",
"storeType": "FileShare",
"connectionstring": "c:\\ProgramData\\SF\\DiagnosticsStore"
}, "reverseProxyCertificate": {
"thumbprint": "[parameters('76************************8A2')]",
"x509StoreName": "[parameters('My')]"
},
"security": {
"ClusterCredentialType": "Windows",
"ServerCredentialType": "X509",
"WindowsIdentities": {
"ClustergMSAIdentity": "gmsaSF@domain.lan",
"ClusterSPN": "http/yosfcl.domain.lan",
"ClientIdentities": [
{
"Identity": "domain\\my.name",
"IsAdmin": true
}
]
},
"CertificateInformation": {
"ServerCertificate": {
"Thumbprint": "76***********************************8A2",
"X509StoreName": "My"
},
"ReverseProxyCertificate": {
"Thumbprint": "76*************************************48A2",
"X509StoreName": "My"
},
"ClientCertificateThumbprints": [
{
"CertificateThumbprint": "94***********************************2D",
"IsAdmin": true
}
]
}
},
"nodeTypes": [
{
"name": "NodeType0",
"clientConnectionEndpointPort": "19000",
"clusterConnectionEndpointPort": "19001",
"leaseDriverEndpointPort": "19002",
"serviceConnectionEndpointPort": "19003",
"httpGatewayEndpointPort": "19080",
"reverseProxyEndpointPort": "19081",
"applicationPorts": {
"startPort": "20001",
"endPort": "20500"
},
"ephemeralPorts": {
"startPort": "20501",
"endPort": "20700"
},
"isPrimary": true
}
],
"fabricSettings": [
{
"name": "Setup",
"parameters": [
{
"name": "FabricDataRoot",
"value": "D:\\SF"
},
{
"name": "FabricLogRoot",
"value": "D:\\SF\\Logs"
}
]
}, {
"name": "ApplicationGateway/Http",
"parameters": [
{
"name": "SecureOnlyMode",
"value": true
},
{
"name": "ApplicationCertificateValidationPolicy",
"value": "None"
}
]
}
]
} }