Note: Fabasoft recommends not to use this workarounds, if the SPNs can be set. Use these workarounds only temporarily. In a Microsoft Windows environment, the Fabasoft Folio Web services run with a specified domain user webservice user. In Active Directory, the web service user needs to have permissions to run a service in this case http in the domain. This permission is set by the SPN. If the SPN is not set and the webserver requests the clearence of the user login at the AD controller, the AD controller deny the clearence request because the webservice user is not allowed to run a webservice SPN missing.
Hence the failed clearence, the user get's an access denied error message. This article describes how to set a SPN for your webservice user. Unless the service name and port are not standard, you do not have to enter them when you use setspn. The examples in the following sections assume that the default port and service name are used for SPNs, which is the typical situation.
To view a list of the SPNs that a computer has registered with Active Directory from a command prompt, use the setspn —l hostname command, where hostname is the actual host name of the computer object that you want to query. A domain controller named WSA in Cpandl. If the SPNs that you see for your server display what seems to be incorrect names; consider resetting the computer to use the default SPNs.
To reset the default SPN values, use the setspn -r hostname command at a command prompt, where hostname is the actual host name of the computer object that you want to update.
You receive confirmation if the reset is successful. For example, if there is an Active Directory domain controller with the host name server1. If you need to allow delegated administrators to configure service principal names SPNs , you must ensure that their user accounts have the Validated write to service principle name permission.
Membership in Domain Admins , or equivalent, is the minimum required to complete this procedure. Click View , and verify that the Advanced Features check box is selected. If the domain to which you want to allow a disjoint namespace does not appear in the console, take the following steps:. In the Domain box, type the name of the Active Directory domain to which you want to allow the disjoint namespace, and then click OK.
As an alternative, you can use the Browse button to locate the Active Directory domain. In the console tree, right-click the node that represents the domain to which you want to allow a disjoint namespace, and then click Properties.
In Enter the object name to select , type the group or user account name to which you want to delegate permission, and then click OK. At the bottom of the Permissions box, select the Allow check box that corresponds to the Validated write to service principal name permissions, and then click OK on the three open dialog boxes to confirm your changes. However, if you are using Windows Server or earlier, you will not be able to use the -S switch because it is not available for that platform.
In the case where you cannot use -S, then you should manually verify that there are no duplicate SPNs by first running Setspn -L. The syntax is:. Normally, this is the NetBIOS name of the computer and optionally the domain that contains the computer account. However, any desired Active Directory object name can be used. SPNs are required by services that use Kerberos and Kerberos is about providing authentication and authorization.
Kerberos authentication is not possible for services when SPNs are not correctly configured. SPNs uniquely identify services running on servers, so when an SPN is missing from a computer account, the user often sees an authentication, credential, permission, or access error message.
You can try to reregister all the SPNs for the host that is failing to register:. However, there are cases when you need to register an SPN manually. For example, Microsoft KB article discusses a situation where domain controllers are not replicating because there is a missing SPN.
For example, assume there is a domain controller named DC2 in the Fabrikam. To test the critical services on the domain controller with verbose output, you can run the command:. That command outputs the diagnostic information to the file dcdiag.
Then, you can use notepad to open the file by running the command:. You could then search the file for issues. One issue you might find during the diagnostic is a "Missing SPN" entry during the MachineAccount test, as shown in the following figure.
You may also try restarting the domain controller or NTDS service. To manually register the SPN that is shown as missing in the figure above, you would enter the command shown in the following figure.
If a computer is unable to verify the SPN of a computer, a connection request may be denied or fail. For example, one error you might encounter is the target principal name is incorrect. You can try running the following command on a domain controller displaying such an error:. That command will check for missing and duplicate SPNs as well as other errors.
0コメント