Developer Guide

User Authorization

The Intel® MPI Library supports several authentication methods under the Microsoft Windows* OS:
  • Password-based authorization
  • Domain-based authorization with the delegation ability
  • Limited domain-based authorization
The password-based authorization is the most common method of providing remote node access through a user’s existing account name and password. Intel MPI Library allows you to encrypt your login information and store it in the registry with the
mpiexec -register
command . You need to do this once, during the first application run.
The domain-based authorization methods use the Security Service Provider Interface (SSPI) provided by Microsoft in a Windows environment. The SSPI allows domain to authenticate the user on the remote machine in accordance with the domain policies. You do not need to enter and store your account name and password when using such methods.
Both domain-based authorization methods may increase MPI task launch time in comparison with the password-based authorization. This depends on the domain configuration.
The limited domain-based authorization restricts your access to the network. You will not be able to open files on remote machines or access mapped network drives.
This feature is supported on clusters under Windows HPC Server 2012 R2. Microsoft's Kerberos Distribution Center* must be enabled on your domain controller (this is the default behavior).
Using the domain-based authorization method with the delegation ability requires specific installation of the domain. You can perform this installation by using the Intel® MPI Library installer if you have domain administrator rights or by following the instructions below.

Active Directory* Setup

To enable the delegation in the Active Directory*, do the following:
  1. Log in on the domain controller under the administrator account.
  2. Enable the delegation for cluster nodes:
    1. Go to
      Administrative Tools
      .
    2. In the
      Active Directory Users and Computers
      administrative utility open the
      Computers
      list.
    3. Right click on a desired computer object and select
      Properties
      .
    4. Select the
      Delegation
      tab and check the
      Trust this computer for delegation to any service (Kerberos only)
      option.
  3. Enable the delegation for users:
    1. In the
      Active Directory Users and Computers
      administrative utility open the
      Users
      list.
    2. Right click on a desired user object and select
      Properties
      .
    3. Select the
      Account
      tab and disable the
      Account is sensitive and cannot be delegated
      option.
  4. Register service principal name (SPN) for cluster nodes. Use one of the following methods for registering SPN:
    1. Use the
      setspn.exe
      utility from Microsoft*. For example, execute the following command on the domain controller:
      > setspn.exe -A impi_hydra/<host>:<port>/impi_hydra <host>
      where:
      • <host>
        is the cluster node name.
      • <port>
        is the Hydra port. The default value is
        8679
        . Change this number only if your hydra service uses the non-default port.
    2. Log into each desired node under the administrator account and execute the command:
      > hydra_service -register_spn
In case of any issues with the MPI task start, reboot the machine from which the MPI task is started. Alternatively, execute this command:
> klist purge
To select a user authorization method, use the
I_MPI_AUTH_METHOD
environment variable with the
password
,
delegate
, or
impersonate
argument. For more details, see the
Developer Reference
, section User Authorization.

Product and Performance Information

1

Performance varies by use, configuration and other factors. Learn more at www.Intel.com/PerformanceIndex.