[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [HTCondor-users] HTCondor with smartcard logon

I met with some people from the USGS office in Madison a few weeks ago about this very issue,  When last I spoke to them, they were in process of implementing my suggested workaround, but I don't know if they ever completed that.

What it comes down to is this 

There is no way for HTCondor to run jobs under a user account that requires smartcard authentication.   As far as I know, it's impossible for ANY service process to run on an account that requires two-factor authentication - jobs running on your Windows execute nodes are just a special case of this.   

Normally on Windows, the HTCondor daemons run as local system,  I'm fairly confident that your local system accounts don't require smartcard authentication, which is why you are able to start HTCondor at all.

When Its time to run a job, HTCondor does this by creating a process as another user, so that jobs don't run as local system.  By default, when HTCondor runs a job it uses the 'nobody' user, which on Windows really means that we use a dynamically created user with a name like condor-slot1 or condor-reuse-slot1.   We use a different username for each slot so that jobs cannot mess with each other. 

By default HTCondor will create these dynamic users as members of the Windows local group "Users", but you can use a configuration knob to control what group HTCondor will use.   This knob provides the first (and IMO best) way to solve the smart-card authentication problem.   

the procedure is this:

1) Use the windows user management tools to create a new group called CondorSlotUsers.  

1a) If you have an users with names matching condor-slot* or condor-reuse-slot* on this machine,  remove them from group Users and add them to group CondorSlotUsers

1b) Use the Windows Local System Policy to set policies for the CondorSlotUsers group.

    It's important that this group have the ability to login without needing the smartcard.  But this group does not need to be able to login interactively,  It only needs read/write access to the condor execute directory and the ability to open a socket connection back to the schedd.  The CondorSlotUsers group can have VERY few rights. 

2) configure HTCondor to add 'nobody' users to this group when it creates them by setting

3) (maybe needed).  Change the permissions on the c:\condor\execute directory so that the CondorSlotUsers group has read/write access. 

That's it.  

You can get the same effect by creating dedicated slots users rather than a special group, but most of the steps are the same.

1) Use the windows user management tools to create a new users called cndrusr1, cndrusr2, etc

1a) Use Windows Local System Policy editor to remove the smartcard requirement for these users.   (you can also turn off interactive logins and anything else you like). 

2) Configure HTCondor to use these users rather than the dynamic 'nobody' users.

     SLOT1_USER = cndrusr1
     SLOT2_USER = cndrusr2


From: HTCondor-users <htcondor-users-bounces@xxxxxxxxxxx> on behalf of Zach Miller <zmiller@xxxxxxxxxxx>
Sent: Friday, October 2, 2015 11:18 AM
To: HTCondor-Users Mail List
Subject: Re: [HTCondor-users] HTCondor with smartcard logon

> -----Original Message-----
> From: HTCondor-users [mailto:htcondor-users-bounces@xxxxxxxxxxx] On Behalf
> Of Durnan, Andy
> Sent: Friday, October 02, 2015 8:47 AM
> To: htcondor-users@xxxxxxxxxxx
> Subject: [HTCondor-users] HTCondor with smartcard logon
> Hello,
> All job submissions go idle when smartcard authentication is enforced. I've
> implemented credd per the guidance in the 8.4.0 manual to no avail.

The high-level issue here is that in order to run jobs on the execute machines as a specific user, HTCondor needs to "log in" as that user on the execute machine before running the job.

When you are requiring smartcard logon, HTCondor can no longer do that, even if you have stored the password using the CredD.

One option is to run the jobs as either "nobody" users or "slot users".  Check out this section:

And this one:

Basically, if you'll require smartcard logon, jobs will not be allowed to run as their owner.  This is normally the default on Windows, so have you changed settings such as STARTER_ALLOW_RUNAS_OWNER?


HTCondor-users mailing list
To unsubscribe, send a message to htcondor-users-request@xxxxxxxxxxx with a
subject: Unsubscribe
You can also unsubscribe by visiting

The archives can be found at: