Intel® MPI Library

Developer Guide for Windows* OS

Download PDF
ID 768730
Date 6/30/2025
Public
Document Table of Contents
Document Table of Contents x
Developer Guide for Windows* OS
Developer Guide for Windows* OS x
Introduction Installation and Prerequisites Compiling and Linking Running Applications Debugging Applications Analysis and Tuning Troubleshooting Notices and Disclaimers
Introduction x
Introducing Intel® MPI Library Conventions and Symbols Related Information
Installation and Prerequisites x
Installation Prerequisite Steps User Authorization Active Directory* Setup
Compiling and Linking x
Compiling an MPI Program Configuring a Microsoft Visual Studio* Project
Running Applications x
Running Intel® MPI Library in Containers Selecting a Library Configuration Running an MPI Program Running an MPI/OpenMP* Program MPMD Launch Mode Fabrics Control Job Schedulers Support Controlling Process Placement Java* MPI Applications Support
Running Intel® MPI Library in Containers x
Build a Singularity* Container for an MPI Application Run the Application with a Container
Fabrics Control x
Selecting Fabrics Libfabric* Support OFI* Providers Support
Debugging Applications x
Debugging Using -gtool for Debugging
Analysis and Tuning x
Displaying MPI Debug Information Tracing Applications MPI Tuning
Troubleshooting x
Error Message: Bad Termination Error Message: No such file or Directory Error Message: Permission Denied Error Message: Fatal Error Error Message: Bad File Descriptor Error Message: Too Many Open Files Problem: MPI Application Hangs Problem: Password Required Problem: Cannot Execute Binary File Problem: MPI limitation for Docker*
Developer Guide for Windows* OS

User Authorization

The Intel® MPI Library supports several authentication methods under the Microsoft Windows* OS:

  • PowerShell remoting (default)

  • Domain-based authorization with the delegation ability

  • Limited domain-based authorization

PowerShell remoting uses the system-preferred authentication method through domain-based authentication or secure credentials passing; this is the recommended method for remote applications execution across nodes.

NOTE:
When using a shared drive with PowerShell remoting, you may encounter access issues related to the second hop problem. To fix this, you must create a PowerShell session configuration on the remote node. You will need administrator access on the remote machine to create a PowerShell profile that will automate the session configuration. This profile only needs to be set up once at the remote node. 

# Enter user credentials when prompted 
$credential = Get-Credential

# Securely pass the credentials to the remote machine for making the second hop
$secureCredential = New-Object System.Management.Automation.PSCredential($credential.UserName, $credential.Password)

# Input the PowerShell session configuration name
$sessionName = "mpi_profile"

# Unregister previously created session if needed
Unregister-PSSessionConfiguration -Name $sessionName 2>$null

# Create a new session
Register-PSSessionConfiguration -Name $sessionName 2>$null
$sid = ([System.Security.Principal.WindowsIdentity]::GetCurrent()).User.Value

# Set the SecurityDescriptorSddl for PowerShell session
# This is the basic recommended setting; use your own setting for security
Set-PSSessionConfiguration -Name $sessionName -SecurityDescriptorSddl "O:NSG:BAD:P(A;;GA;;;${sid})S:P(AU;FA;GA;;;WD)(AU;SA;GXGW;;;WD)" 2>$null

# Use RunAsCredential to pass the credentials for the second hop
Set-PSSessionConfiguration -Name $sessionName -RunAsCredential $secureCredential

# Restart the Winrm service  
Restart-Service -Name Winrm 2>$null

# Display the status of the Winrm service and the session configuration setting
Get-Service -Name Winrm
Get-PSSessionConfiguration $sessionName
To use the mpi_profile session for PowerShell remoting, set I_MPI_HYDRA_BOOTSTRAP_POWERSHELL_PSCNAME=mpi_profile. This will solve the PowerShell remoting access issues by passing the credentials needed to authenticate to the shared drive.

Additionally, Intel® MPI Library supports domain-based authorization with the delegation ability as well as limited domain-based authorization. The domain-based authorization methods use the Security Service Provider Interface (SSPI) provided by Microsoft* in the Windows* OS environment. The SSPI allows a domain to authenticate the user on the remote machine by the domain policies. You do not need to enter and store your account name and password when using such methods.

NOTE:
Both domain-based authorization methods may increase MPI task launch time in comparison with the password-based authorization. This depends on the domain configuration.

NOTE:
The limited domain-based authorization restricts your access to the network. You will not be able to open files on remote machines or access mapped network drives.

This feature is supported on clusters under Windows HPC Server 2012 R2. Microsoft's Kerberos Distribution Center* must be enabled on your domain controller (this is the default behavior).

Using the domain-based authorization method with the delegation ability requires specific installation of the domain. You can perform this installation by using the Intel® MPI Library installer if you have domain administrator rights or by following the instructions below.

Active Directory* Setup

To enable the delegation in the Active Directory*, do the following:

  1. Log in on the domain controller under the administrator account.

  2. Enable the delegation for cluster nodes:

    1. Go to Administrative Tools.

    2. In the Active Directory Users and Computers administrative utility open the Computers list.

    3. Right click on a desired computer object and select Properties.

    4. Select the Delegation tab and check the Trust this computer for delegation to any service (Kerberos only) option.

  3. Enable the delegation for users:

    1. In the Active Directory Users and Computers administrative utility open the Users list.

    2. Right click on a desired user object and select Properties.

    3. Select the Account tab and disable the Account is sensitive and cannot be delegated option.

  4. Make sure the Hydra service is installed and running on the cluster nodes. To check this, enter the command:

    hydra_service -status

    If the service is not running, use the following command to install and run it:

    hydra_service -install

    NOTE:
    Run this command as an administrator.

  5. Register service principal name (SPN) for cluster nodes. Use one of the following methods for registering SPN:

    1. Use the setspn.exe utility from Microsoft*. For example, execute the following command on the domain controller: 

      > setspn.exe -A
                  impi_hydra/<host>:<port>/impi_hydra
                  <host>

      where:

      • <host> is the cluster node name.
      • <port> is the Hydra port. The default value is 8679. Change this number only if your hydra service uses the non-default port.

    2. Log into each desired node under the administrator account and execute the command: 

      > hydra_service -register_spn

NOTE:
In case of any issues with the MPI task start, reboot the machine from which the MPI task is started. Alternatively, execute this command: > klist purge

To select a user authorization method, use the I_MPI_AUTH_METHOD environment variable with the delegate or impersonate argument, or set it to an empty value to use the default authentication method. For more details, see the Developer Reference, section User Authorization.

Parent topic: Installation and Prerequisites
Level Two Title