Registering a Service Principal Name (SPN) and Configuring Delegation in Microsoft Windows - Legacy Authentication Methods - Foundation 23.1 - Foundation 23.1 - Ready - OnBase - Essential - Premier - Standard - external - Standard - Essential - Premier

Legacy Authentication Methods

Platform
OnBase
Product
Legacy Authentication Methods
Release
Foundation 23.1
License
Standard
Essential
Premier

Before configuring any OnBase web applications, you must first:

  • Register a Service Principal Name (SPN) to a domain account in Microsoft Windows

  • Set the registered SPN account to trust delegation in Active Directory

Note:

The SPN only needs to be registered once for the HTTP service on the server, even though a server may host one or more OnBase web applications.

The domain account that is registered as the SPN must be the same as the application pool identity that is running all of the application pools for OnBase web applications on the server.

The SPN is registered using the Microsoft Windows Setspn command-line tool. To successfully register the SPN, you must have domain administrative privileges on the server or be logged in under a user account with those privileges delegated to it.

Note:

Setspn is a Microsoft tool. For complete details on registering SPNs and using the Setspn tool, see the documentation provided by Microsoft for Windows servers. The example included in this section is for illustration purposes only.

For example, to register the SPN for the HTTP service, for fully qualified domain name myserver.mydomain.net, to the application pool identity jdoe, type:

Setspn -s HTTP/myserver.mydomain.net mydomain\jdoe

After registering the SPN you must also set that user account to trust delegation. This is configured in Microsoft Windows by launching the Active Directory Users and Computers toolkit with elevated administrator privileges.

Note:

Active Directory is a Microsoft product. Complete details on using and configuring Active Directory can be found in the documentation provided by Microsoft.

In the Active Directory Users and Computers toolkit:

  1. Navigate to the Users dialog.
  2. Search for the domain account you registered the SPN to.
  3. Open the properties for that account and select the Delegation tab.
  4. Configure that account to trust delegation for services.
    Note:

    It is considered a best practice to use constrained delegation by selecting Trust the user for delegation to specified service only and selecting Use Kerberos only. However, if other services are using the same account, this configuration may not always be possible. For more information on constrained delegation, see the Kerberos Constrained Delegation information available from Microsoft.