Content Platform Engine, Version 5.2.1            

Creating an Active Directory user account

Create an Active Directory domain user account that will be the “identity” behind the SPN. This account will be mapped to the SPNs in the next step and, crucially, has a password which, through some hashing, serves as a symmetric encryption/decryption key for parts of the Kerberos tickets.

About this task

The name of this account should be FNCEWS_ + host_name and will generally be similar to the short SPN name chosen above with an underscore ( _ ) in place of the slash ( / ). There are two exceptions, however:

The latter exception is because of complications on all platforms if the account's User Principal Name (UPN) does not match the User Logon Name (pre-Windows 2000) name, which is restricted to 20 characters or less. If either of these exceptions holds, then you must choose a 20 character or shorter unique user name (for example, FN_long_user_name_12) and configure the Kerberos login module to use this new name by setting the serviceAccountName option (see KrbServiceLoginModule options). This "identity" user account name is case-sensitive and should be remembered as it will be needed when creating this account and for some later steps.

Procedure

  1. To create the account, open the Active Directory Users and Computers tool on a Domain Controller in the Content Platform Engine server's Windows domain. Create a Windows domain user (not computer) account that will be used for the SPN. This account must be in the same domain as that of the Content Platform Engine system. Enter the "identity" user account name, make sure that Password never expires is selected and nothing else, and then enter a password for that account and confirm it. Remember this password as it will be needed later.
  2. Using the Active Directory Users and Computers snap-in again, select the account you just created, right-click it and then select Properties… from the menu. Select the Account tab and then, if using DES, select Use Kerberos DES encryption types for this account (you will need to scroll down to the bottom of the Account Options control to find this option). This sets up to use DES encryption security with the Kerberos tickets; RC4-HMAC should not have this option checked (see Using RC4-HMAC Security).

    Note that this identity user account must not be used for purposes other than acting as a Kerberos identity for a single Content Platform Engine or cluster, meaning that several Content Platform Engine servers must not be sharing this same identity user unless, of course, they are part of a cluster. This identity user account must also not be the same user account that might have been set up for SPENGO support. This latter restriction is needed because the user account set up for SPNEGO will likely have its Active Directory UserPrincipalName attribute set up in a way that is incompatible with the Content Platform Engine Kerberos.



Last updated: October 2015
p8psn024.htm

© Copyright IBM Corporation 2015.