PI AF security considerations in failover clusters

By default, PI System Explorer and other PI AF clients attempt to connect to the PI AF application service using Kerberos authentication. In failover clusters, you need to address special issues that arise when the PI AF application service is running using Kerberos security.

For a general description of how PI AF works with Kerberos authentication, see PI AF and Kerberos.

Configuration of PI AF application service to run under a domain account

In failover clusters, we recommend that the PI AF application service be run under a domain account. When the PI AF application service is run under a domain account, the PI AF server (machine hosting PI AF application service) always attempts to register a Service Principal Name (SPN) for that domain account, as long as the servicePrincipalName value is defined in the AFService.exe.config file. If the servicePrincipalName value is not defined in the AFService.exe.config file, the SPN will not be registered.

Modification of SPN to use single registration of virtual server name

By default, if the SPN is registered, it is registered on each node in the failover cluster and uses the machine name as the host name. For example, in a two-node failover cluster with the PI AF application service installed, two SPNs would be registered, one for each node in the failover cluster. The SPN would be registered when the PI AF application service runs on the failover cluster node. So, you might have the following SPNs registered to your PI AF application service installed in a failover cluster: AFSERVER/Node1.domain.com and AFSERVER/Node2.domain.com.

In a failover cluster, you should register a single SPN for the PI AF application service that uses the virtual name of the failover cluster as the host, rather than one SPN for each node in the failover cluster that uses the machine name as the host name. When you use a single SPN with the virtual cluster name as the host, you ensure that PI AF clients always connect to the correct node within the failover cluster using Kerberos authentication.

Note: Single SPN registration of the virtual server name is also required if you are configuring a PI AF server to perform network load balancing.

Configuration of _CLUSTER_NETWORK_NAME_ environment variable

In Windows Server 2008 R2, by default the _CLUSTER_NETWORK_NAME_ environment variable is not defined (unlike some previous versions of Windows Server). The environment variable appears when the Use Network Name for computer name check box is selected in the Parameters tab for the cluster resource in Failover Cluster Manager. The cluster resource must also have a dependency of a Network Name resource type, or else the checkbox will be disabled in the Parameters tab.

After the _CLUSTER_NETWORK_NAME_ environment variable is defined, the Network Name is assigned to the variable value. This variable is stored in the registry in the multi-string value Environment in HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\AFService.

If the _CLUSTER_NETWORK_NAME_ environment variable is not defined, the host name can be overridden by setting the hostName value in the appSettings section of the AFService.exe.config file. The value needs to be set to the virtual name of the failover cluster.

Note: If you need to remove the Environment multi-string value that holds the _CLUSTER_NETWORK_NAME_ environment variable, use the Failover Cluster Manager to take the PI AF application service resource offline. Next, deselect the Use Network Name for computer name check box for the PI AF application service resource. Then, bring the PI AF application service resource back online. The Environment multi-string value that holds the _CLUSTER_NETWORK_NAME_ environment variable is then removed from the registry.