scalearc active directory integration - amazon web … · scalearc active directory integration ......

© 2015 ScaleArc. All Rights Reserved.

ScaleArc Active Directory Integration


© 2015 ScaleArc. All Rights Reserved. | 1

Copyrights and Trademarks

Copyright © 2009-2016 ScaleArc, all rights reserved.

The information contained in this document is subject to change without notice.

Reproduction, adaption or translation without prior written permission is prohibited, except as allowed under the copyright laws.

ScaleArc® and ScaleArc iDB® are registered trademarks of ScaleArc and/or its affiliates in the U.S, India and certain other countries.

CentOS is a trademark of the CentOS Project

SQL Server is a registered trademark of Microsoft

Active Directory is a registered trademark of Microsoft

Samba is licensed under the GNU General Public License

Kerberos is licensed by the Massachusetts Institute of Technology

Other company and product names mentioned herein can be trademarks or registered trademarks of their respective companies and should be treated as such.

Publication Change Record

The following table records all revisions to this publication. This first entry is always the publication’s initial release. Each entry indications the date of the release and the number of the system release to which the revision corresponds.

Document ID Date System Release ScaleArc-ADI-0001 03/06/2015 ScaleArc 3.5.1 ScaleArc-ADI-0001 11/20/2015 ScaleArc 3.8



Contents Copyrights and Trademarks ............................................................................ 1 Publication Change Record ............................................................................. 1 About this Document ....................................................................................... 3

Audience .................................................................................................. 3 Naming Conventions ................................................................................ 3 Typographical Conventions ...................................................................... 3 Contacting ScaleArc ................................................................................. 3

How ScaleArc handles User Authentication .................................................... 4 ScaleArc Active Directory Integration .............................................................. 4

What is a Backup Domain Controller (BDC) ............................................ 5 What authentication method does ScaleArc use ...................................... 5

Why does ScaleArc use Kerberos ....................................................... 5 How secure is the BDC Service that is running on ScaleArc ................... 6

Setting up ScaleArc AD Authentication Integration ......................................... 6 Domain’s functional level and SMB Version ............................................. 7 How to join ScaleArc to the Domain ......................................................... 7

DNS Entries ......................................................................................... 7 NTP Service ......................................................................................... 7 Network Settings .................................................................................. 8 Windows AD Setup .............................................................................. 9

Appendix A .................................................................................................... 11 Frequently Asked Questions .................................................................. 11

Appendix B .................................................................................................... 13 For systems installed prior to ScaleArc Version 3.8 ............................... 13



About this Document This document describes how ScaleArc handles User Authentication, Active Directory Integration and finally how to implement AD Integration. It has three primary goals:

1. To clarify what options are available for managing DB Users Accounts within ScaleArc. 2. To demonstrate what the ScaleArc Active Directory integration is, how it works, and how

ScaleArc implements it. 3. To describe the steps required to integrate ScaleArc with an Active Directory Domain.

Audience This document is for Active Directory Administrators and SQL Server Administrators who are considering integrating ScaleArc with their Active Directory Domain.

Naming Conventions The term “AD” refers to Microsoft Active Directory

The term “ADC” refers to Microsoft Active Directory Controller

The term “BDC” refers to Backup Domain Controller.

The term “R/W” refers to read write SQL traffic.

The term “DC” refers to an Active Directory Domain Controller

The term FQDN refers to Fully Qualified Domain Name

Typographical Conventions The document uses different typefaces to indicate different kinds of information. The following table explains these typographical conventions.

Font Meaning Typewriter Indicates error messages, file names, or screen

output Bold Indicates a command line, indicates information to be

entered exactly as shown Italics Indicates important notes or tips.

Contacting ScaleArc Product support can be obtained by contacting Customer Support at:

Sales:

• [email protected] • +1-408-837-2250

Technical Support:

• https://support.scalearc.com • [email protected]



How ScaleArc handles User Authentication There are three methods for ScaleArc to manage DB User authentication.

1. In the simplest case, ScaleArc can “passthrough” the transaction to the Primary Server, a.k.a. the Read+Write server, allowing the server to manage the authentication as well as the SQL statements that follow. However read/write split and stateful database failover features are not allowed in “passthrough” mode. In addition, any passthrough transaction cannot be failed over to the Standby Server in the event of the auto database failover.

2. You may choose to manually enter the AD usernames and passwords into ScaleArc. ScaleArc can then use these provided credentials to establish pre-connections to a database server. This functionality enables users to use the ScaleArc advanced feature sets such as read/write split, stateful database failover, analytics and caching of query result sets. However any changes to user’s passwords, additions/deletions of any users, or users’ access control to SQL Server via AD groups must be manually maintained within both SQL Server and ScaleArc (which can be done either through the UI or the ScaleArc REST API).

3. You can also setup ScaleArc as a Backup Domain Controller (BDC) but with only password and database user sync and not as a true BDC. This allows ScaleArc to make a read-only copy of the Active Directory catalog for the specified domain. In this mode, ScaleArc continuously updates its local encrypted password database by synchronizing it with the AD. Using this method, users configured within SQL Server with permissions to the SQL assets will be automatically fetched to ScaleArc and any changes of those users within AD will be automatically reflected within ScaleArc.

User Authentication Approach

Caching Read / Write Split

Authentication Offload

Auto Failover

Account Synch

Passthrough Yes No No No No Manual Entry Yes Yes Yes Yes No AD Synchronization Yes Yes Yes Yes Yes

ScaleArc Active Directory Integration To implement the third option ScaleArc integrates to an Active Domain Controller by becoming a limited Backup Domain Controller. This results in ScaleArc having a local, encrypted copy of the SAM Database that allows it to quickly authenticate oncoming Users and offload this work from the Database itself.



When implemented, the Active Directory Architecture typically looks like the following:

What is a Backup Domain Controller (BDC) To understand what a BDC is, you must first understand what a domain controller is. A domain controller (DC) is a machine that is able to answer logon request from network workstations or applications. A backup domain controller (BDC) is a machine that contains a read only copy of the Security Account Manager (SAM) database and has an established trust relationship with the Active Directory Controller (ADC). Due to the established trust with the ADC, systems can use/request authentication verification using the BDC and the acceptance of the authentication is considered as valid by the requesting workstation or application.

What authentication method does ScaleArc use AD uses two authentication methods for requesting hosts or applications. The first is NT NetLogon Service (NTLM), which is now in version 2 and has been supported natively since Windows 2000. The second method is Kerberos, which is the method that ScaleArc uses when configured as a BDC for collecting User Account information.

Why does ScaleArc use Kerberos The most important reason for using Kerberos is that NTLM requires the original username and password as well as a direct connection/communication with the originating machine requesting authentication. Kerberos has a major advantage since it uses session-specific keys. Using Kerberos, the original password is only authenticated by either ADC or BDC when the user first logs on to the Kerberos realm (AD domain). Once the authentication is successful, the session-specific keys provided by the authenticating server earlier can authenticate any other services for the host/application.



How secure is the BDC Service that is running on ScaleArc ScaleArc’s implementation of BDC leverages the open source implementation of Samba 4. ScaleArc’s implementation of Samba is a non-LDAP BDC in that ScaleArc will not become a true BDC to Active Directory. This means that while ScaleArc will have a backup copy of the SAM it will not be openly registered as a domain controller for standard authentication. To integrate ScaleArc into an Active Directory subdomain you must enter the username and password for a user with domain admin privileges. Using these credentials, ScaleArc will establish a trust relationship to the ADC and download a copy of the SAM. The SAM is encrypted with keys that are provided by the ADC and validated by the credentials provided in the trust establishment. The domain admin username and password that was provided to create the trust relationship are not stored by ScaleArc and are only used at the time of setup. Once the trust relationship is setup SAMBA will create a computer service account within AD that it will use to maintain a copy of the AD SAM.

Setting up ScaleArc AD Authentication Integration Caveats:

• ScaleArc can only work with one Domain within an AD forest. However, if the users who will be authenticating through ScaleArc to the SQL Server environments are members of multiple domains, then consider adding the users to ScaleArc manually or via API for authentication.

• If you have a small number of AD users/accounts (less than 20 or so), it may be easier overall to manage such users individually through ScaleArc. The integration feature is meant to manage a large number of users where the passwords change frequently and at variable times without administrator knowledge. Manual entry does require changes to the Password to be maintained by the Administrator within ScaleArc.

Perquisites:

• The Forest must accept domains that can operate at 2008R2 functional level • The domain must be in 2008R2 functional level or lower

o Information about functional levels: https://technet.microsoft.com/en-us/library/understanding-active-directory-functional-levels%28v=ws.10%29.aspx

• Server Message Block (SMB) version 1 protocol must be enabled on the domain



Domain’s functional level and SMB Version 1. Login to the ADC that will ScaleArc will establish the trust relationship with as a domain admin 2. Launch PowerShell as an administrator 3. To check the Forest functional level, run the below command:

Get-ADForest | format-table name, forestmode

4. To check the Domain functional level, run the below command:

Get-ADDomain | format-table name, domainmode

5. To check that SMB 1 is installed, run the below command (Note this will install SMB1 if it is

not already installed) Get-WindowsFeature fs-smb1

6. If the AD Domain is at a functional level above 2008R2, downgrade the domain functional level

Set-ADDomainMode -Identity "Domain FQDN" -DomainMode Windows2008R2Domain Note-You must restart the ADC if/after this change is made Note- you may get an error that the functional level cannot be set because of the Forest compatibility. If that is the case, you can downgrade the Forest functional level by logging into the Forest domain as an Enterprise admin and run the below command in PowerShell.

Set-ADForestMode -Identity "Forest FQDN" -ForestMode Windows2008R2Forest

How to join ScaleArc to the Domain DNS Entries The ScaleArc should have already been added to the DNS Entries for the network. In addition, for AD Integration to work, they should also have a Reverse DNS Entry added as well.

NTP Service You will need to set the NTP Server to be the ADC server that ScaleArc will establish the trust relationship with

1. Login to the ScaleArc UI 2. Go to Settings->System Settings then select the System Config tab



3. Under the Date and Time Zone section type in the FQDN of the ADC then click apply

Network Settings Primary DNS Server should be setup to either of the following:

a. AD Server which has DNS Service running on it so it can resolve FQDN of the AD. b. DNS Server which can resolve hostname of both ScaleArc and AD Server.



Windows AD Setup 1. Go to Settings->System Settings then select the Windows AD Setup tab

2. Enter the FQDN of the AD Domain you want ScaleArc to establish the trust relationship with. 3. Enter the NetBIOS Name of the domain 4. Enter the ADC Server that will establish and validate the trust relationship 5. Enter the domain administrator username and password 6. Click Join the AD Domain



Appendix A Frequently Asked Questions

1) What are the drawbacks of downgrading the functional level of Active Directory?

Recently many customers have questions and security concerns that what are the drawbacks of demoting the functional level of their Windows 2012R2 install of AD, the following description will try to address that concern, giving links to MS documentation wherever relevant. What’s new in Windows 2012R2 Active Directory In this version of the ADS, Microsoft has introduced better support for Kerberos, this was done in two parts and as two releases of the server OS. Windows 2012 - This is the release that makes the windows setup give better Kerberos support and also introduces new features for Kerberos. Windows 2012R2 - In this release they have introduced a new group. This group is called Protected Users Group. When a user is added to this group, the default policy for authentication will be Kerberos and it will not demote to any other authentication policy like NTLM or LanMan. [Source: https://technet.microsoft.com/en-us/library/understanding-active-directory-functional-levels] The above changes are in the Domain functionality, and customer who intended to use the protected users group, are advised not to demote the domain level. There are no changes in the forest functionality level, thus this is safe to demote.

2) What are the known problems or issues with integrating with Active

Directory? • ScaleArc will start accepting delegation for Kerberos based authentication.

This is because by default the AD sets up any system as Trust for Delegation (Kerberos only). This can be stopped from the AD, by stopping delegation of authentication to ScaleArc. Which is a settings change within Active Directory Users and Computers. (see: http://blogs.msdn.com/b/autz_auth_stuff/archive/2011/05/03/kerberos-delegation.aspx)

• ScaleArc is not able to join a domain that has a sub-domain or a ghost domain under it.

Due to the behavior Samba has, it tries to clone all the object that exist under the domain. When it tries to clone the sub-domain and then tries to change the permission on the local copy, it fails thus failing domain join. In case of a ghost domain, please delete the ghost domain and then try the perform the integration again.



• Domain Join failed This can happen due to many reasons few to which are Windows AD running on 2012 R2 domain and forest functional level. Clock on the AD and ScaleArc are out of sync, and have more than 5 minutes of skew, use the AD as the NTP server on ScaleArc. ScaleArc is not able to resolve the AD, please check the DNS or make AD the primary DNS on ScaleArc.

• Integrating with child domains the have Exchange extensions installed.

In some deployments we have seen exchange extension 2013 installed on each of the child domain servers, currently samba does not support this, due to which the AD will show errors such as Error code 1791, replication broken. The result of which is, the SAM DB replication that ScaleArc needs might not work. Although this error is harmless if it is for the ScaleArc machine in the AD, but some customers may not like it.

• Even after joining the domain, ScaleArc is not able to see Fetched Users in the UI. ScaleArc only shows the users that have access to the SQL Server, that are added in the ScaleArc Cluster. If there are no users added in the SQL Server Security and Logins, then none will be shown. Please check the Users that are existing in the SQL Server for Access.

3) Can ScaleArc perform LDAP Authentication? No, openldap service is not installed with ScaleArc. But Samba gets ScaleArc listed as a valid LDAP server, since it has to make GC entries to have valid DNS lookup, and start the DRS replication of Samba. Sometimes, applications use ldap and want to list all the servers that can listen for ldap requests. The very crude way of doing that is nslookup domain.com What this does is list all the AD servers in the domain. When you join ScaleArc as a BDC, it will also be listed as an AD controller. But using it for ldap authentication will always fails. The better way of finding the ldap servers in your domain is nslookp type=any _tcp._ldap.domain.com

4) Can ScaleArc do WINS, NBNS, or DNS name resolution? No, these services are not installed or blocked on ScaleArc.

ScaleArc is the leading provider of database load balancing software. The ScaleArc software inserts transparently between applications and databases, creating an agile data tier that provides continuous availability and increased performance for all apps. With ScaleArc, enterprises also gain instant database scalability and a new level of real-time visibility for their application environments, both on prem and in the cloud. Learn more about ScaleArc, our customers, and our partners at www.ScaleArc.com.

© 2015 ScaleArc. All Rights Reserved. ScaleArc and the ScaleArc logo are trademarks or registered trademarks of ScaleArc in the United States and other countries. All brand names, product names, or trademarks belong to their respective holders.

11/20/2015

2901 Tasman Drive, Suite 205 Santa Clara, CA 95054 Phone: 1-408-780-2040 Fax: 1-408-427-3748 www.scalearc.com


Appendix B For systems installed prior to ScaleArc Version 3.8

If you installed ScaleArc prior to version 3.8 you will need to preform the below command on the Console of ScaleArc prior to joining the domain. This change will keep ScaleArc from being published as an LDAP controller within DNS.

1. login to the scalearc console 2. run the below command:

a. sudo sed -i '/ldap/ s/^/#/' /usr/local/samba/share/setup/dns_update_list 3. Log out of the console and proceed with joining ScaleArc to the domain.

scalearc active directory integration - amazon web … · scalearc active directory integration ......

Documents