After the Kerberos “identity” user account
is created, it must be mapped to the proper SPNs. This is done by
using Microsoft's setSPN utility, which is available on Windows 2003
Servers (and later).
Procedure
- Enter something like these two lines at a command prompt on a Windows Domain Controller
system:
setspn –a FNCEWS/mycemp01 FNCEWS_mycemp01
setspn –a FNCEWS/mycemp01.mydom.example.com FNCEWS_mycemp01
If you enter these lines on a Content Platform Engine system that is not a
Windows Domain Controller, the setSPN command appears to work but does not actually set the SPNs
correctly.
- Substitute the SPN you have chosen and the name of the
identity account just created for mycemp01 and
the domain mydom.example.com.
Note
that the setspn utility uses the pre-Windows 2000 User logon name
and not the regular User logon name.
Note that
another tool supplied by Microsoft, ktpass, must not be used for mapping
SPNs using its -mapuser option. Although ktpass with -mapuser is recommended
for setting up SPNEGO authentication with a web server, do not use
the -mapuser option for setting up the Content Platform Engine Kerberos identity user
as it can modify the identity user account's UserPrincipalName
attribute in Active Directory and thus cause the Content Platform Engine Kerberos to fail.