A Windows 2008 R2 SP1 VCS 6.0.1 cluster of two nodes.
Configured with secure / single sign-on
Attempts to run any of the ha* commands (i.e. hagrp, hares, etc) from the command line as a non-administrator user fail with the following error message:
VCS ERROR V-16-1-53022 Broker (localhost) unable to authenticate user ((null)) : error = (14)
In this case I am logged into the system as an AD domain user named "testuser" in an AD domain I'll call "foo". I can run the VCS Cluster manager as this user, and as expected can see the status of the cluster but not modify it (as I haven't granted any additional VCS privileges to this user), so it would appear that the secured VCS server is operating under single sign-on as expected. Oh, just tried one more thing, added "testuser@foo" as an "Administrator", and now when I start the VCS Cluster Manager as user "testuser" it shows "TESTUSER@FOO" as a "Cluster Administrator" at the top of the Window, which would seem to confirm that SSO and authentication are working correctly, at least for the GUI.
I can log on as a domain or local Administrator (i.e. username <hostname>\Administrator or <AD domain name>\Administrator and run ha* commands from the command line.
One possible hitch may be that while the AD domain is (for example) "foo", the DNS/NIS domain of the AD domain and the VCS server is (for example) "abc.xyz.com"?
The following VCS services/processes are running on the host in question:
vcsauthserver.exe <-- this is the one that handles authentication, right?
The error message may provide some clue as to what the problem is, in that it identifies the user that it can't authenticate as ((null)), rather than "informix".
I've tried searching all over and I've got no clue as to why this doesn't work. As an alternative I tried switching to the non-secure mode, but that resulted in the user "informix" being prompted to enter a username and password every time one tries to run a VCS ha* command. For my purposes that is not usable, as our product (EMC NetWorker client) needs to run a script which in turn runs various ha* commands to determine the status of the cluster, which service groups own which disks, etc. In theory using SSO should resolve this issue, but it's not working for CLI VCS commands.