Share via

Enable and Configure Soft Card Authentication on a Windows HPC Cluster

  • Article

 

Applies To: Microsoft HPC Pack 2012, Microsoft HPC Pack 2012 R2

Starting in HPC Pack 2008 R2 with Service Pack 2, if your organization uses smart card authentication, you can enable cluster users to use their smart card credentials to generate a soft card certificate that can be selected as credentials on the cluster. This topic describes the requirements and steps for configuring soft card authentication on a Windows HPC cluster.

Requirements to enable HPC soft card authentication

Active Directory environment

  • The Active Directory and Active Directory domain controllers must be configured for smart card authentication.

  • The Active Directory domain controller must be running at least Windows Server 2008 R2.

  • The computer on which the Certification Authority role service of Active Directory Certificate Services is installed must be running at least Windows Server 2008 R2.

For more information about installing and managing the CA role service, see Active Directory Certificate Services.

Install the HPC soft card key storage provider

To enable soft card authentication when submitting jobs to a HPC Pack cluster, you must install the HPC soft card key storage provider (KSP) on the following computers:

  • The head node of your cluster

  • The compute nodes, workstation nodes, and unmanaged server nodes (if supported) of your cluster

To install the KSP, you must separately run the version of the installation program that is appropriate for the operating system on each computer: HpcKsp_x64.msi or HpcKsp_x86.msi. The installation programs are included in the installation files for supported versions of HPC Pack that are available on the Microsoft Download Center or in installation media.

You can copy the installers to a shared folder that all on-premises nodes can access and then use the clusrun command to install the KSP on all nodes. For example, you can copy the installers to the ccpspooldir share on the head node (\\<headnode>\ccpspooldir) and then run the following command (for 64-bit computers):

clusrun msiexec  /passive /I  \\<headnode>\ccpspooldir\hpcksp_x64.msi

The following table shows the operating systems on which you can install the HPC soft card KSP for HPC Pack.

Version of Microsoft HPC Pack

Supported operating systems for the HPC soft card KSP

HPC Pack 2012 R2

Windows 8.1, Windows Server 2012 R2, Windows 8, Windows Server 2012, Windows 7, or Windows Server 2008 R2

HPC Pack 2012

Windows 8, Windows Server 2012, Windows 7, or Windows Server 2008 R2

HPC Pack 2008 R2

Windows 7 or Windows Server 2008 R2

Important

  • If you previously installed the HPC soft card key storage provider from an earlier version of HPC Pack, you must uninstall the provider on each node before you reinstall the provider in a more recent version of HPC Pack.

  • Uninstalling the HPC soft card KSP stops the HPC Node Manager Service on the node, making the node unreachable. You should restart a node after uninstalling the HPC soft card KSP.

Create a certificate template

Before enabling HPC soft card authentication on the cluster, work with your certification authority (CA) or PKI administrator to choose or create a certificate template that should be used when generating a soft card for the cluster. Ensure that the validity period in the template is long enough to accommodate the job lifecycle. Optionally, the template can have an associated access control list that defines who can use the certificate template.

Note

The certificate template that is used to generate HPC soft card credentials must allow the private key to be exported.

The CA role service includes several default certificate templates. The CA administrator can create an HPC soft card template by copying and then modifying the default Smart Card Logon template in the Certificate Templates Console as follows:

  1. In Extensions, in Application Policies, remove Smart Card Logon.

  2. In Request Handling, click Allow private key to be exported.

  3. In Security, specify the users who can enroll (optional).

  4. Ensure that the validity period in the template is long enough to accommodate the job lifecycle.

For more information, see Creating Certificate Templates.

Configure HPC soft card authentication on the cluster

To configure HPC soft card authentication on the cluster, set the cluster properties in the following table. To set the properties, run the cluscfg command or the Set-HpcClusterProperty Windows HPC PowerShell cmdlet.

Property

Description

HpcSoftCard

Specifies the HPC soft card authentication policy on the HPC Scheduler Service. Possible values are:

  • Disabled (the default)

  • Required – users must use soft card authentication

  • Allowed – users can choose between password and soft card authentication

HpcSoftCardTemplate

Specifies the name of the certificate template that will be used to create new HPC soft cards for the cluster.

SoftCardExpirationWarning

Specifies the number of days until the soft card certificate expiration date. By default, this value is set to 5 days. If a user tries to submit a job within this number of days before the expiration date, or after the expiration date, the job will be rejected. The user will see an error message about the soft card expiration, and will need to generate a new soft card certificate before resubmitting the job.

Note

To disable expiration warnings, you can set SoftCardExpirationWarning to 0.

For example, use the following procedure to allow soft card authentication on the cluster, specify a certificate template, and configure a warning period for soft cards that are nearing their expiration date.

To configure soft card authentication on the cluster

  1. To allow soft card authentication on the cluster, start HPC PowerShell as an Administrator and type:

    Set-HpcClusterProperty –HpcSoftCard:Allowed

    Or, at an elevated command prompt, type:

    cluscfg setparams HpcSoftCard=Allowed

  2. To specify the certificate template (for example, MySoftCardtemplate) that should be used to generate a soft card credential, start HPC PowerShell as an Administrator and type:

    Set-HpcClusterProperty –HpcSoftCardTemplate MySoftCardtemplate

    Or, at an elevated command prompt, type:

    cluscfg setparams HpcSoftCardTemplate=MySoftCardtemplate

  3. To configure a 3 day warning period for soft cards that are nearing their expiration date, start HPC PowerShell as an Administrator and type:

    Set-HpcClusterProperty –SoftCardExpirationWarning 3

    Or, at an elevated command prompt, type:

    cluscfg setparams SoftCardExpirationWarning=3

Generate HPC soft card credentials

You can use HPC soft card credentials to submit jobs, run SOA sessions, and run diagnostic tests. Use the following commands to manage your HPC soft card credentials, or to set SOA or diagnostic credentials.

Task

HPC PowerShell

Command prompt

Get your HPC soft card credentials to submit jobs

Get-HpcJobCredential

hpccred getcreds

Delete your cached credentials

Remove-HpcJobCredential

hpccred delcreds

Cache your HPC soft card credentials on the cluster (jobs)

Set-HpcJobCredential -Softcard

hpccred setcreds /softcard

Cache your HPC soft card credentials on the cluster (SOA)

$credential=Get-HpcSoaCredential

Set-HpcSoaCredential –Credential $credential

not available

Cache your HPC soft card credentials on the cluster (diagnostics)

Set-HpcTestCredential -Softcard

test setcreds /softcard

The following procedure shows how a cluster user can generate an HPC soft card certificate by using the hpccred command or the New-HpcSoftcard cmdlet. The commands generate a public key pair and obtain the certificate from the CA that is configured for your Active Directory domain. The certificate is based on the template that is specified by the HpcSoftCardTemplate cluster property. The certificate is placed in your personal certificate store on your computer.

Note

The computer that you log on to must have theHPC Pack client utilities installed.

To generate a new HPC soft card certificate

  1. Log on to the computer with your smart card.

  2. Use one of the following methods to generate an HPC soft card.

    Start HPC PowerShell as an Administrator and type:

    New-HpcSoftCard

    Or, at a command prompt, type:

    hpccred createcert

Submit a job with HPC soft card credentials

To submit a job by using the HPC soft card credentials

  1. Use one of the following methods to delete any previously cached credentials.

    Start HPC PowerShell as an Administrator and type:

    Remove-hpcJobCredential

    Or, at a command prompt, type:

    hpccred delcreds

  2. Submit a job. For example, you can submit a simple test job by using one of the following methods.

    Start HPC PowerShell as an Administrator and type:

    New-HpcJob | Add-hpcTask –Command "echo hello" | Submit-HpcJob

    Or, at a command prompt, type:

    job submit echo hello

  3. When prompted, select which credentials to use.

Additional considerations

  • If you are using HPC soft card credentials, you cannot run jobs as a different user.

  • HPC soft card authentication is not supported for cluster deployment operations (for example, unattended installations and joining compute nodes to the domain).

See also