Configuring Active Directory
Here will we setup external resource. These steps are performed on the Active
Directory (AD) server.
Contents
Check Active Directory for Service
Principle Names
- Later in this guide we will use the command
ktpass to create a Service Principal Name (SPN)
that connects the service account with the application server. However first
we need to check that the application server account does not have an SPN
registered as HTTP/Servername already in the Active Directory
- This check has to be done for each machine that will run the application
server.
- Run the following command (in the example we use the server name :
TESTSERVER.CORPNET.IFSWORLD.COM)
C:\>setspn –l TESTSERVER
- This will give you an output like shown below:
C:\>setspn -l TESTSERVER
Registered ServicePrincipalNames for CN=TESTSERVER,OU=Servers, DC=CORPNET, DC=IFSWORLD, DC=com:
HOST/ TESTSERVER
HOST/ TESTSERVER.corpnet.ifsworld.com
WSMAN/ TESTSERVER
WSMAN/ TESTSERVER.corpnet.ifsworld.com
TERMSRV/ TESTSERVER
TERMSRV/ TESTSERVER.corpnet.ifsworld.com
RestrictedKrbHost/ TESTSERVER
RestrictedKrbHost/ TESTSERVER.corpnet.ifsworld.com
- If the SPN HTTP/Servername or HTTP/Fully qualified
domain name (eg: HTTP/TESTSERVER or HTTP/ TESTSERVER.corpnet.ifsworld.com)
exists in the output created by the above command you will have to delete it by
running the following commands. You need to be logged into the Active Directory
server as the domain admin or a user with the correct privileges to perform this
command.
C:\>setspn –d HTTP/TESTSERVER
C:\>setspn –d HTTP/TESTSERVER.corpnet.ifsworld.com
-
You have to be careful when removing the SPNs. You need to make sure that you
have not deleted the SPN HOST/Servername which is crucial for the correct
functionality of the server machine. Run setspn -l <Servername> command again to
check this. Make sure HOST/Servername is still available. If it is missing you
need to restore the missing information by running the following command.
C:\setspn –r TESTSERVER
- When you create SPNs you have to have a user account to connect it to. We will
create a user for this purpose. Note that most guides describing configuration
of Single Sign-on suggest that the username and the hostname of the server
running the Application Server are identical. In this document, we will use a different
name for the user to make it more obvious when we refer to the machine and when
we refer to the user. In the rest of this document, we will use the name
appsrvhost for the machine and appsrvuser for the user.
- Create user appsrvuser in AD and make a note of the password.
- Right click in the users box and choose: new->user
- Add the user name and logon name.
- Enter a password and remember this password for later use. Uncheck
"user must change password at next logon".
The krb5.ini file is required when you are using kinit to verify the
generated keytab file in the steps to come. If you do not already have this
file (generated by the installer), you can create this file according to the following format.
Click here for a Sample krb5.ini file.
[libdefaults]
default_realm = <DOMAIN NAME>
ticket_lifetime = 600
[realms]
<DOMAIN NAME> = {
kdc = <Key Distribution Central/Domain Controller IP>
admin_server = <Host Name for Kerberos Admin Server/Application Server>
default_domain = <DEFAULT DOMAIN NAME>
}
[domain_realm]
.<domain name> = <DOMAIN NAME>
[appdefaults]
autologin = true
forward = true
forwardable = true
encrypt = true