• 2019 Update 7
  • 03/31/2020
  • Public Content

User Authorization

Intel® MPI Library Developer Guide for Windows* OS
Intel® MPI Library supports several authentication methods under the Microsoft Windows* OS:
  • Password-based authorization
  • Domain-based authorization with the delegation ability
  • Limited domain-based authorization
The password-based authorization is the most common method of providing remote node access through a user’s existing account name and password. Intel MPI Library allows you to encrypt your login information and store it in the registry with the
mpiexec –register
command. You need to do this once, during the first application run.
The domain-based authorization methods use the Security Service Provider Interface (SSPI) provided by Microsoft in a Windows environment. The SSPI allows domain to authenticate the user on the remote machine in accordance with the domain policies. You do not need to enter and store your account name and password when using such methods.
Note
Both domain-based authorization methods may increase MPI task launch time in comparison with the password-based authorization. This depends on the domain configuration.
Note
The limited domain-based authorization restricts your access to the network. You will not be able to open files on remote machines or access mapped network drives.
This feature is supported on clusters under Windows HPC Server 2012 R2. Microsoft's Kerberos Distribution Center* must be enabled on your domain controller (this is the default behavior).
Using the domain-based authorization method with the delegation ability requires specific installation of the domain. You can perform this installation by using the Intel® MPI Library installer if you have domain administrator rights or by following the instructions below.

Active Directory* Setup

To enable the delegation in the Active Directory*, do the following:
  1. Log in on the domain controller under the administrator account.
  2. Enable the delegation for cluster nodes:
    1. Go to
      Administrative Tools
      .
    2. In the
      Active Directory Users and Computers
      administrative utility open the
      Computers
      list.
    3. Right click on a desired computer object and select
      Properties
      .
    4. If the account is located:
      • in a Windows 2000 functional level domain, check the
        Trust computer for delegation
        option;
      • in a Windows 2003 or newer functional level domain, select the
        Delegation
        tab and check the
        Trust this computer for delegation to any service (Kerberos only)
        option.
  3. Enable the delegation for users:
    1. In the
      Active Directory Users and Computers
      administrative utility open the
      Users
      list.
    2. Right click on a desired user object and select
      Properties
      .
    3. Select the
      Account
      tab and disable the
      Account is sensitive and cannot be delegated
      option.
  4. Register service principal name (SPN) for cluster nodes. Use one of the following methods for registering SPN:
    1. Use the Microsoft*-provided
      setspn.exe
      utility. For example, execute the following command on the domain controller:
      > setspn.exe -A impi_hydra/
      <host>
      :
      <port>
      /impi_hydra
      <host>
      where:
      • <host>
        is the cluster node name.
      • <port>
        is the Hydra port. The default value is
        8679
        . Change this number only if your hydra service uses the non-default port.
    2. Log into each desired node under the administrator account and execute the command:
      > hydra_service -register_spn
Note
In case of any issues with the MPI task start, reboot the machine from which the MPI task is started. Alternatively, execute the command:
> klist purge
To select a user authorization method, use the
I_MPI_AUTH_METHOD
environment variable with
password
,
delegate
, or
impersonate
argument. For more details, see the
Developer Reference
, section
Miscellaneous > User Authorization
.

Product and Performance Information

1

Intel's compilers may or may not optimize to the same degree for non-Intel microprocessors for optimizations that are not unique to Intel microprocessors. These optimizations include SSE2, SSE3, and SSSE3 instruction sets and other optimizations. Intel does not guarantee the availability, functionality, or effectiveness of any optimization on microprocessors not manufactured by Intel. Microprocessor-dependent optimizations in this product are intended for use with Intel microprocessors. Certain optimizations not specific to Intel microarchitecture are reserved for Intel microprocessors. Please refer to the applicable product User and Reference Guides for more information regarding the specific instruction sets covered by this notice.

Notice revision #20110804