ClusterEndpointIdentityType setting
This setting is only used in version 16.5 Update 17 and later.
The 'ClusterEndpointIdentityType' application configuration setting can be manually edited in the server file 'Palantir.IPS.Server.exe.config'; it cannot be modified in the IPS Manager UI. The setting should have the same value on all server machines in a cluster.
It is unlikely that you will need to modify this setting from the default; it may be need to be changed if inter-server communication issues occur and this is usually associated with Windows environments which have been configured with high-level security restrictions.
Important: The default setting requires that the IPS Service Account is a Windows domain user account with a registered UPN.
Values for the setting
The default value ('Upn') configures IPS to use the IPS Service Account's UPN as the identity for inter-server communication. This is the recommended setting for most deployments and typically does not involve any further configuration.
Other possible values for the setting are:
- 'Spn': this will use the legacy SPN-based identity, as was used in previous versions of IPS/Planning Space (16.5 Update 16 and earlier);
- 'Dns' : this will use the server DNS address as the identity;
- 'None': no identity will be configured (note: if the default setting of 'Upn' is used with a local user account as the IPS Service Account and a single-server deployment then the effective identity type will be 'None').
Note: The need for the change from SPN-based identity, and making the setting configurable, arose from a Microsoft Windows Security Update of January 2022, which imposed a more restricted security policy for inter-server communications.
Changing the setting in 'Palantir.IPS.Server.exe.config'
The setting is contained in the server file C:\Program Files\Palantir\PalantirIPS 16.5\Palantir.IPS.Server.exe.config
.
Find the tag 'PalantirAppSettings' and it will initially appear like the following:
<PalantirAppSettings>
<setting name="AuthorizedAdminGroup">Palantir IPS Admin</setting>
<setting name="ClusterEndpointIdentityType">Upn</setting>
</PalantirAppSettings>
Replace 'Upn' with one of the other values, as defined above.
SPN registration
In environments where restrictive security policies are in place, and/or the ClusterEndpointIdentityType is configured to a non-default setting, the registration of SPNs may required. For reference, SPN registration commands are provided below. However, it is recommended to consult Quorum Support for guidance on this advanced configuration. Note that SPN registration requires the use of a user account with domain administration rights.
If required, SPNs should be registered against the IPS Service Account, and the registration must be performed on every server machine in the cluster:
setspn -s IClusterSettingsSyncService/{server FQDN}:82/ClusterSettingsSyncService {IPS Service Account}
setspn -s IPeerSyncService/{server FQDN}:82/PeerSyncService {IPS Service Account}
setspn -s IClusterCacheService/{server FQDN}:82/ClusterCacheService {IPS Service Account}
setspn -s IDeploymentPackageHost/{server FQDN}:82/DeploymentPackageService {IPS Service Account}
where {server FQDN}
is the fully qualified server name, e.g. 'ipsserver1.ips.company.com', and {IPS Service Account}
is the
name of the service account as registered in Windows Active Directory, e.g. 'COMPANYDOMAIN\ipsserviceuser'. '82' refers to the IPS Cluster Port
and you need to change this value if the default has been changed; see
Service configuration.