Home > Tintri VMstoreā„¢ > Knowledge Base > Active Directory Principals and VMstore

Active Directory Principals and VMstore

Applies To

 

Product(s): Tintri VMstore

Product Version(s): Tintri Operating System v3.1.1 (and later)

Overview

 

This article provides information around Active Directory (Kerberos) security principal names and how they're used in conjunction with Tintri VMstore. This currently only applies to Active Directory authentication support for VMstore management and to VMstore's Hyper-V functionality. NFSv3 as implemented for support of VMware and RHEV-M doesn't make use of Kerberos authentication at all.

Service Principals

 

Service Principal Names are used by clients when requesting service tickets from Active Directory in order to access a network service. A Hyper-V host's SMB client will request a service ticket for the VMstore's CIFS service principal when attempting to mount an SMB share. This service principal is constructed from the hostname part of the UNC path of the SMB resource being requested by the Hyper-V host. For example:

  1. If a Hyper-V host is attempting to open \\vmstore01-data.vmlevel.com\hyperv,
  2. It will perform a DNS lookup on vmstore01-data.vmlevel.com (which should resolve to the VMstore's data IP address),
  3. It will request a Kerberos service ticket from Active Directory for the server principal cifs/vmstore01-data.vmlevel.com,
  4. Active Directory will search for a computer account where the servicePrincipalName attribute is set to cifs/vmstore01-data.vmlevel.com and issue a service ticket to the client based on that,
  5. The client passes the service ticket to the VMstore when initiating the SMB session,
  6. The VMstore matches the service principal against the SMB hostname parameter set, and
  7. Validates the ticket accordingly.

 

This is essentially the same process as is followed for any Kerberos service within an Active Directory environment.

User Principals

 

User Principal Names are used by clients to identify themselves with Active Directory (by requesting an Initial Ticket) in order to be able to request service tickets for services (see above). VMstore requests initial tickets in order to get service tickets for Active Directory (LDAP) requests and for Hyper-V Management (WMI). The user principal is constructed from the VMstore's management hostname as set at VMstore installation time. For example:

  1. If a VMstore called vmstore01.vmlevel.com needs to access Active Directory or a Hyper-V host and no current initial ticket has been issued and is current,
  2. VMstore requests an initial ticket from Active Directory with the user principal HOST/vmstore01,
  3. Active Directory searches for a computer account that has a userPrincipalName attribute set to HOST/vmstore01 and issues a ticket based on that,
  4. The client includes the issued ticket when requesting service tickets

This is essentially the same process as followed for any Kerberos client within an Active Directory environment.

 

You must to post a comment.
Last modified

Tags

Classifications

This page has no classifications.