A service principal name (SPN) is a unique identifier of a service instance. SPNs are used by the Kerberos Authenticator to associate a service instance with a service logon account. This allows a client application to request an account even if the client does not have the account name. For more information, refer to Service Principal Names.
Use the command line tool setspn to add entries to the SPN list.
To add the j5 Server/Domain account to the SPN:
-
Sign into the Active Directory as an Administrator.
-
Open a command line or power shell as Administrator.
-
Use the following command concepts:
-
To see what has already been configured for the host name:
C:\setspn -l [HOST_NAME]
-
To see what has already been configured for the service username:
C:\setspn -l [SERVICE_USER_NAME]
-
-
Use these commands to add the j5 service to the SPN list (customization explanations below):
-
Command 1:
C:\setspn -A HTTP/<ServerName> <ServiceAccountDomain>\<ServiceAccount>
-
Command 2:
C:\setspn -A HTTP/<FullServerName> <ServiceAccountDomain>\<ServiceAccount>
-
To customize these commands:
-
HTTP: The service/protocol name that the client (j5) users for its service (the default for j5 is HTTP).
Do not use HTTPS for the service/protocol name, you must use HTTP even though you are connecting with HTTPS. An explanation from Microsoft taken from here, is given below:
-
ServerName: The host name j5 is running on (for example, j5serverdev)
-
FullServerName: The full qualified host name including the domain (for example, j5serverdev.full.domain.name)
-
ServiceAccountDomain: The full domain name (for example, full.domain.name)
-
ServiceAccount: The name of the servicedomain account created in Step 1
Examples:
-
Command 1:
C:\>Setspn -A HTTP/j5serverdev domain\j5-application-dev
-
Command 2:
C:\>Setspn -A HTTP/j5serverdev.full.domain.name domain\j5-application-dev
If the entry already exists, the command is ignored. Otherwise, the command returns Updated object.