Create an Active Directory domain user account that will
be the “identity” behind the SPN. This account will be
mapped to the SPNs in the next step and, crucially, has a password
which, through some hashing, serves as a symmetric encryption/decryption
key for parts of the Kerberos tickets.
About this task
The name of this account should be FNCEWS_ + host_name and
will generally be similar to the short SPN name chosen above with
an underscore ( _ ) in place of the slash ( / ). There are two exceptions,
however:
- For clusters, where host_name would be a cluster
name instead.
- If the derived FNCEWS + host_name name would
be longer than 20 characters, as it would with host_names longer
than 13 characters, a different shorter name must be used.
The latter exception is because of complications on all platforms
if the account's User Principal Name (UPN) does not match the User
Logon Name (pre-Windows 2000) name, which is restricted to 20 characters
or less. If either of these exceptions holds, then you must choose
a 20 character or shorter unique user name (for example, FN_long_user_name_12)
and configure the Kerberos login module to use this new name by setting
the serviceAccountName option (see KrbServiceLoginModule options).
This "identity" user account name is case-sensitive and should
be remembered as it will be needed when creating this account and
for some later steps.
Procedure
- To create the account, open the Active Directory
Users and Computers tool on a Domain Controller in the Content Platform Engine server's Windows
domain. Create a Windows domain user (not computer) account that will
be used for the SPN. This account must be in the same domain as that
of the Content Platform Engine system.
Enter the "identity" user account name, make sure that Password
never expires is selected and nothing else, and then enter
a password for that account and confirm it. Remember this password
as it will be needed later.
- Using the Active Directory Users and Computers snap-in
again, select the account you just created, right-click it and then
select Properties… from the menu. Select
the Account tab and then, if using DES, select Use
Kerberos DES encryption types for this account (you will
need to scroll down to the bottom of the Account Options control
to find this option). This sets up to use DES encryption security
with the Kerberos tickets; RC4-HMAC should not have this option checked
(see Using RC4-HMAC Security).
Note that
this identity user account must not be used for purposes other than
acting as a Kerberos identity for a single Content Platform Engine or cluster, meaning
that several Content Platform Engine servers
must not be sharing this same identity user unless, of course, they
are part of a cluster. This identity user account must also not be
the same user account that might have been set up for SPENGO support.
This latter restriction is needed because the user account set up
for SPNEGO will likely have its Active Directory UserPrincipalName
attribute set up in a way that is incompatible with the Content Platform Engine Kerberos.