Re: [HTCondor-users] Trouble with authentication on Windows after upgrade from 8.9 to 25.11

Hi Cole,

condor_config_val -dump authentication_methods returns

# Configuration from machine: LP15-MAL1-CEM.dsone.3ds.com

# Parameters with names that match authentication_methods:

SEC_CLIENT_AUTHENTICATION_METHODS = IDTOKENS, PASSWORD

SEC_DEFAULT_AUTHENTICATION_METHODS = IDTOKENS, PASSWORD

SEC_READ_AUTHENTICATION_METHODS = IDTOKENS, PASSWORD

SEC_WRITE_AUTHENTICATION_METHODS = IDTOKENS, PASSWORD

# Contributing configuration file(s):

# C:\Condor\condor_config

# C:\Condor\condor_config.local

I had added the PASSWORDS methods only for Windows, but it seems it doesnât help in any way.

Thanks,

Martin

From: Cole Bollig <cabollig@xxxxxxxx>
Sent: Thursday, June 18, 2026 10:10 PM
To: APEL Martin <Martin.APEL@xxxxxxx>; htcondor-users@xxxxxxxxxxx
Subject: Re: [HTCondor-users] Trouble with authentication on Windows after upgrade from 8.9 to 25.11

Hi Martin, For the windows submit host what does condor_config_val -dump authentication_methods return? -Cole From: APEL Martin <Martin.âAPEL@â3ds.âcom> Sent: Thursday, June 18, 2026 7:â57 AM To: Cole Bollig <cabollig@âwisc.âedu>; htcondor-users@âcs.âwisc.âedu

Hi Martin,

For the windows submit host what does condor_config_val -dump authentication_methods return?

-Cole

From: APEL Martin <Martin.APEL@xxxxxxx>
Sent: Thursday, June 18, 2026 7:57 AM
To: Cole Bollig <cabollig@xxxxxxxx>; htcondor-users@xxxxxxxxxxx <htcondor-users@xxxxxxxxxxx>
Subject: RE: [HTCondor-users] Trouble with authentication on Windows after upgrade from 8.9 to 25.11

Hi Cole,

Thank you for your quick response. Regarding your questions:

1. I run condor_store_cred add without any additional parameters

2. Adding the -debug:D:HOST_NAME generates the following output (I have replaced domain and usernames):

condor_store_cred -debug:D_HOSTNAME add

06/18/26 08:29:16 NETWORK_INTERFACE=* matches Ethernet fe80::d7db:b5ca:797a:9984, Ethernet 169.254.55.6, Ethernet 4 fe80::f680:c67b:aff5:9b, Ethernet 4 169.254.71.157, Ethernet 2 fe80::2328:e55a:26cb:dadd, Ethernet 2 192.168.208.34, Wi-Fi fe80::f224:7aa9:83bb:1dc2, Wi-Fi 169.254.98.211, Local Area Connection* 1 fe80::894c:4326:1ed2:e343, Local Area Connection* 1 169.254.118.174, Local Area Connection* 12 fe80::b59:9f8e:7b22:bbff, Local Area Connection* 12 169.254.172.248, Bluetooth Network Connection fe80::d6c5:e04c:b18:7898, Bluetooth Network Connection 169.254.89.57, Loopback Pseudo-Interface 1 ::1, Loopback Pseudo-Interface 1 127.0.0.1, vEthernet (nat) fe80::660:43c2:243:4ea, vEthernet (nat) 192.168.224.1, choosing IP 192.168.208.34

06/18/26 08:29:16 hostname: hostname.dnsdomainname

06/18/26 08:29:16 I am: hostname: hostname, fully qualified doman name: hostname.dnsdomainname, IP: 192.168.208.34, IPv4: 192.168.208.34, IPv6:

06/18/26 08:29:16 Trying to getting network interface information after reading config

06/18/26 08:29:16 hostname: hostname.dnsdomainname

06/18/26 08:29:16 I am: hostname: hostname, fully qualified doman name: hostname.dnsdomainname, IP: 192.168.208.34, IPv4: 192.168.208.34, IPv6:

Account: username@WinDomainName

CredType: password

Enter password:

06/18/26 08:29:22 STORE_CRED: In mode 100 'add', user is "username@WinDomainName"

06/18/26 08:29:22 New Daemon obj (schedd) name: "", pool: "", addr: ""

06/18/26 08:29:22 Neither name nor addr specified, using local values - name: "hostname.dnsdomainname", full host: "hostname.dnsdomainname"

06/18/26 08:29:22 Finding classad for local daemon, SCHEDD_DAEMON_AD_FILE is "C:\Condor\spool/.schedd_classad"

06/18/26 08:29:22 Found Name in ClassAd, using "hostname.dnsdomainname"

06/18/26 08:29:22 Daemon client (schedd) address determined: name: "hostname.dnsdomainname", pool: "", alias: "hostname.dnsdomainname", addr: "<192.168.208.34:9618?addrs=192.168.208.34-9618&alias=hostname.dnsdomainname&noUDP&sock=schedd_6452_7bd4>"

06/18/26 08:29:22 Found SCHEDDIpAddr in ClassAd, using "<192.168.208.34:9618?addrs=192.168.208.34-9618&alias=hostname.dnsdomainname&noUDP&sock=schedd_6452_7bd4>"

06/18/26 08:29:22 Found CondorVersion in ClassAd, using "$CondorVersion: 25.11.0 2026-06-10 BuildID: 920473 GitSHA: 7f5259d9 $"

06/18/26 08:29:22 Found CondorPlatform in ClassAd, using "$CondorPlatform: x86_64_Windows10 $"

06/18/26 08:29:22 Found Machine in ClassAd, using "hostname.dnsdomainname"

06/18/26 08:29:22 Checking if <192.168.208.34:9618?addrs=192.168.208.34-9618&alias=hostname.dnsdomainname&noUDP&sock=schedd_6452_7bd4> is a sinful address

06/18/26 08:29:22 <192.168.208.34:9618?addrs=192.168.208.34-9618&alias=hostname.dnsdomainname&noUDP&sock=schedd_6452_7bd4> is a sinful address!

06/18/26 08:29:22 Using port 9618 based on address "<192.168.208.34:9618?addrs=192.168.208.34-9618&alias=hostname.dnsdomainname&noUDP&sock=schedd_6452_7bd4>"

06/18/26 08:29:22 Found address 1 candidates:

06/18/26 08:29:22 -410 192.168.208.34:9618

06/18/26 08:29:22 Considering address candidate 192.168.208.34:9618.

06/18/26 08:29:22 Found compatible candidate 192.168.208.34:9618.

06/18/26 08:29:22 Destroying Daemon object:

06/18/26 08:29:22 Type: 3 (schedd), Name: hostname.dnsdomainname, Addr: <192.168.208.34:9618?addrs=192.168.208.34-9618&alias=hostname.dnsdomainname&noUDP&sock=schedd_6452_7bd4>

06/18/26 08:29:22 FullHost: hostname.dnsdomainname, Host: hostname, Pool: , Port: 9618

06/18/26 08:29:22 IsLocal: Y, IdStr: local schedd, Error:

06/18/26 08:29:22 --- End of Daemon object info ---

Operation failed because it is not allowed

3. The master node as well as all execution nodes of the cluster run on Linux. Submit hosts are both Linux and Windows. On Windows I do not use the ârun_as_ownerâ feature.

Thanks,

Martin

From: Cole Bollig <cabollig@xxxxxxxx>
Sent: Wednesday, June 17, 2026 5:26 PM
To: htcondor-users@xxxxxxxxxxx
Cc: APEL Martin <Martin.APEL@xxxxxxx>
Subject: Re: [HTCondor-users] Trouble with authentication on Windows after upgrade from 8.9 to 25.11

Hi Martin, Some questions to help look into this: What specifically are you running on the command line to store credentials? Can you run the same command with the -debug:âD_HOSTNAME option and share the resulting output (feel free to cleanse

Hi Martin,

Some questions to help look into this:

1. What specifically are you running on the command line to store credentials?

2. Can you run the same command with the -debug:D_HOSTNAME option and share the resulting output (feel free to cleanse and/or send directly)?

3. You mentioned having a mixed pool. What OS are the Aps (submit hosts)?

Cheers,

Cole Bollig

From: HTCondor-users <htcondor-users-bounces@xxxxxxxxxxx> on behalf of APEL Martin via HTCondor-users <htcondor-users@xxxxxxxxxxx>
Sent: Wednesday, June 17, 2026 5:17 AM
To: htcondor-users@xxxxxxxxxxx <htcondor-users@xxxxxxxxxxx>
Cc: APEL Martin <Martin.APEL@xxxxxxx>
Subject: [HTCondor-users] Trouble with authentication on Windows after upgrade from 8.9 to 25.11

ZjQcmQRYFpfptBannerEnd

We have recently upgraded our HTCondor cluster from 8.9 to 25.11. The cluster contains Linux as well as Windows machines. All authentication and authorization is configured to use IDTOKENS, which works fine under Linux. However when using the same approach on Windows any submissions fail and tell me, that I need to use condor_store_cred.

When I run condor_store_cred add I get an error âOperation failed because it is not allowedâ after entering the password.

SchedLog contains entries such as

06/17/26 11:58:38 (pid:25592) WARNING: store_cred() for user user@domain attempted by user condor, rejecting

I have to add that the DNS domain is not identical to the Windows domain name. I have tried adding both domains to the âALLOW_*â configurations, I have tried enabling PASSWORD authentication, but nothing seems to help. I have a token for user@winDomain in my tokens.d directory, which allows me to run e.g. condor_status. I tried the same with a token for user@dnsdomain, condor_status works here as well.

But condor_store_cred continues to fail in all these cases.

Any help would be very much appreciated.

Martin

This email and any attachments are intended solely for the use of the individual or entity to whom it is addressed and may be confidential and/or privileged.

If you are not one of the named recipients or have received this email in error,

(i) you should not read, disclose, or copy it,

(ii) please notify sender of your receipt by reply email and delete this email and all attachments,

(iii) Dassault SystÃmes does not accept or assume any liability or responsibility for any use of or reliance on this email.

Please be informed that your personal data are processed according to our data privacy policy as described on our website. Should you have any questions related to personal data protection, please contact 3DS Data Protection Officer https://www.3ds.com/privacy-policy/contact/

This email and any attachments are intended solely for the use of the individual or entity to whom it is addressed and may be confidential and/or privileged.

If you are not one of the named recipients or have received this email in error,

(i) you should not read, disclose, or copy it,

(ii) please notify sender of your receipt by reply email and delete this email and all attachments,

(iii) Dassault SystÃmes does not accept or assume any liability or responsibility for any use of or reliance on this email.

This email and any attachments are intended solely for the use of the individual or entity to whom it is addressed and may be confidential and/or privileged.

If you are not one of the named recipients or have received this email in error,

(ii) please notify sender of your receipt by reply email and delete this email and all attachments,

(iii) Dassault SystÃmes does not accept or assume any liability or responsibility for any use of or reliance on this email.