Reputation: 569
Problem Connecting to a Secure Azure Service Fabric Cluster
I'm trying to connect to a one-node cluster created successfully but so far unable to connect from the node itself or from a separate client machine.
The setup is a one node cluster where the cluster and the server/node are the same. I'm using self-signed certificates and have (in theory) installed the primary and secondary certificates on the cluster/server and an admin and standard client certificate on a client machine.
If I install an unsecure cluster on the machine, I can successfully navigate to it via a browser, but when I create a secured cluster, I'm unable to connect.
Attempting to connect via PowerShell errors with "Failed to authenticate server" identity".
Browsing to the server with Chrome just fails.
The cluster JSON config is as follows:
{
"name": "SomeFancyCluster",
"clusterConfigurationVersion": "1.0.0",
"apiVersion": "10-2017",
"nodes": [
{
"nodeName": "vm0",
"iPAddress": "some.server.name",
"nodeTypeRef": "NodeType0",
"faultDomain": "fd:/dc1/r0",
"upgradeDomain": "UD0"
}
],
"properties": {
"diagnosticsStore": {
"metadata": "Please replace the diagnostics file share with an actual file share accessible from all cluster machines.",
"dataDeletionAgeInDays": "21",
"storeType": "FileShare",
"connectionstring": "c:\\ProgramData\\SF\\DiagnosticsStore"
},
"security": {
"metadata": "The Credential type X509 indicates this is cluster is secured using X509 Certificates. The thumbprint format is - d5 ec 42 3b 79 cb e5 07 fd 83 59 3c 56 b9 d5 31 24 25 42 64.",
"ClusterCredentialType": "Windows",
"ServerCredentialType": "X509",
"WindowsIdentities": {
"ClusterIdentity": "some.server"
},
"CertificateInformation": {
"ClusterCertificate": {
"Thumbprint": "ab123456789123456789123456789123456789cd",
"ThumbprintSecondary": "ef123456789123456789123456789123456789gh",
"X509StoreName": "My"
},
"ServerCertificate": {
"Thumbprint": "ab123456789123456789123456789123456789cd",
"ThumbprintSecondary": "ef123456789123456789123456789123456789gh",
"X509StoreName": "My"
},
"ClientCertificateThumbprints": [{
"CertificateThumbprint": "ab123456789123456789123456789123456789ef",
"IsAdmin": false
}, {
"CertificateThumbprint": "ab123456789123456789123456789123456789gh",
"IsAdmin": true
}]
}
},
"nodeTypes": [
{
"name": "NodeType0",
"clientConnectionEndpointPort": "19000",
"clusterConnectionEndpointPort": "19001",
"leaseDriverEndpointPort": "19002",
"serviceConnectionEndpointPort": "19003",
"httpGatewayEndpointPort": "19080",
"reverseProxyEndpointPort": "30000",
"applicationPorts": {
"startPort": "20001",
"endPort": "20031"
},
"ephemeralPorts": {
"startPort": "20032",
"endPort": "20287"
},
"isPrimary": true
}
],
"fabricSettings": [
{
"name": "Setup",
"parameters": [
{
"name": "FabricDataRoot",
"value": "C:\\ProgramData\\SF"
},
{
"name": "FabricLogRoot",
"value": "C:\\ProgramData\\SF\\Log"
}
]
}
]
}
}
I've then attempted to connect, as per the docs using the following PowerShell command
Connect-ServiceFabricCluster -ConnectionEndpoint some.server.name:19000 -KeepAliveIntervalInSec 10 -X509Credential -ServerCertThumbprint <Server Thumbprint> -FindType FindByThumbprint -FindValue <Client Thumbprint> -StoreLocation CurrentUser -StoreName My
I installed the client certificate to 'Certificates - Current User/Personal/Certificates'
On the server, the certificates are all in 'Certificates (Local Computer)/Personal/Certificates'
With the primary server/cluster certificate also in 'Certificates (Local Computer)/Trusted Root Certification Authorities' with a CN equal to some.server.name.
Any ideas as to what's missing/wrong above?
Upvotes: 0
Views: 393
Answers (1)
Reputation: 1272
I have a feeling this is related to the ClusterIdentity field in the configuration. Could you tell me why did you add it?
You are authenticating by certificate so remove WindowsIdentities section entirely and change ClusterCredentialType to X509 too if you want to connect to cluster by certificate. Update cluster configuration and you should be able to connect.
Otherwise provide -WindowsCredential parameter not a certificate while you are connecting.
Upvotes: 1
Related Questions
- Service Fabric Local Cluster fails to get certificate(s) private key(s)
- Service Fabric cluster creation error using powershell
- Azure KeyVault Access Policy exception when creating service fabric cluster with PowerShell using New-AzureRmServiceFabricCluster
- 0x80071C57 Error Connecting to Service Fabric Cluster
- Unable to Connect to Local Service Fabric Cluster
- Cannot connect to secured Azure Service Fabric Cluster via Powershell or Visual Studio
- Why can't I connect to this Service Fabric cluster?
- Deploy Service Fabric from powershell. Error -> Get-ServiceFabricClusterManifest : Cluster connection instance is null
- Connecting to an azure Service Fabric App
- Deploying SSL certificate to Azure service fabric cluster