Changes to SPN registration on cluster in ExtremeZ-IP 5.2 and 7.0.1

1 Star2 Stars3 Stars4 Stars5 Stars
  • Product:
  • Version:
  • Document Type:
  • Revised:
  • Reviewed:


ExtremeZ-IP introduces changes to registration of service principal names (SPNs) in cluster environments. These changes can effect clients connecting to ExtremeZ-IP using Kerberos authentication.


Prior to version 5.2, ExtremeZ-IP would register the SPN against the individual cluster node. In 5.2, this behavior was modified so that registration is performed against the cluster object. For example, the following setup:

Cluster object: CLUSTER01
Node 1: NODE01
Node 2: NODE02

would yield the following SPNs on NODE01:

5.1 and earlier: afpserver/
5.2 and later: afpserver/

Additionally, starting with ExtremeZ-IP 7.0.1, we also register the SPN short name. For this example, we register:

Short name: afpserver/CLUSTER01
Long name: afpserver/

These changes allow Macintosh clients to see the same SPN even after cluster failover. Previously, clients would see a new SPN after failover, since the registration would be against the second node of the cluster.

Changes to permissions within Active Directory

Some additional permissions may need to be assigned in Active Directory in order for this new SPN to be registered. By default, individual nodes do not have permission to register an SPN for the cluster object. To make the changes to permissions:

  1. On the domain controller launch Active Directory Users & Computers.
  2. Within the view menu enable the “Advanced Features” checkbox.
  3. Locate the computer object for the cluster virtual server (e.g CLUSTER01).
  4. Right click it and select properties, then go to security tab.
  5. Add the computer object for each node of the cluster, e.g. NODE01. Be sure you have the “computers” category checked when searching for the computer object.
  6. For each node added be sure the following rights are set: “Reset password”, “Validated write to DNS Host Name” and “Validated write to service principal name”.

Once these changes have been made, the SPN should properly register the next time the ExtremeZ-IP service is started. In the event that these permissions changes have not been made, ExtremeZ-IP will fail to register the SPN, and will default to the older method of SPN registration.

In the event that the Active Directory changes described above do not allow ExtremeZ-IP to register the SPN against the cluster object, please see the Microsoft Knowledge Base article below for more information.

Related Article: