Step 2: Add the j5 Server/Domain account to the Service Principal Names (SPN) - j5 - 28.0 - Installation & Upgrade - Hexagon

j5 Installation and Upgrade

Language
English
Product
j5
Search by Category
Installation & Upgrade
j5 Version
2019

A service principal name (SPN) is a unique identifier of a service instance. SPNs are used by the Kerberos Authenticator to associate a service instance with a service logon account. This allows a client application to request an account even if the client does not have the account name. For more information, refer to Service Principal Names.

Use the command line tool setspn to add entries to the SPN list.

To add the j5 Server/Domain account to the SPN:

  1. Sign into the Active Directory as an Administrator.

  2. Open a command line or power shell as Administrator.

    run-as-admin

  3. Use the following command concepts:

    • To see what has already been configured for the host name:

      C:\setspn -l [HOST_NAME]

    • To see what has already been configured for the service username:

      C:\setspn -l [SERVICE_USER_NAME]

  4. Use these commands to add the j5 service to the SPN list (customization explanations below):

    • Command 1:

      C:\setspn -A HTTP/<ServerName> <ServiceAccountDomain>\<ServiceAccount>

    • Command 2:

      C:\setspn -A HTTP/<FullServerName> <ServiceAccountDomain>\<ServiceAccount>

To customize these commands:

  • HTTP: The service/protocol name that the client (j5) users for its service (j5’s default is HTTP).

    Do not use HTTPS for the service/protocol name, you must use HTTP even though you are connecting with HTTPS. An explanation from Microsoft taken from here, is given below:

    "The HTTP service class differs from the HTTP protocol. Both the HTTP protocol and the HTTPS protocol use the HTTP service class. The service class is the string that identifies the general class of service. Well-known service class names include "www" for a Web service and "ldap" for a directory service. Generally, the service class name can be any string that is unique to the service class. Be aware that the SPN syntax uses a forward slash character to separate elements. Therefore, the forward slash character cannot appear in a service class name."

  • ServerName: The host name j5 is running on (for example, j5serverdev)

  • FullServerName: The full qualified host name including the domain (for example, j5serverdev.full.domain.name)

  • ServiceAccountDomain: The full domain name (for example, full.domain.name)

  • ServiceAccount: The name of the servicedomain account created in Step 1

Examples:

  • Command 1:

    C:\>Setspn -A HTTP/j5serverdev domain\j5-application-dev

  • Command 2:

    C:\>Setspn -A HTTP/j5serverdev.full.domain.name domain\j5-application-dev

If the entry already exists, the command is ignored. Otherwise, the command returns Updated object.