How to Configure an SPN Account for an Active Directory Domain Controller

This applies to Windows only. You must restrict and monitor permissions on any Kerberos keytab files you use as part of your Kerberos configuration.

Keytab files contain pairs of Kerberos principals and encrypted keys. Any account with read permission on a keytab file can use all of the keys it contains.

TIBCO recommends that you create a regular user account for the server in the Active Directory domain. It must be a user account, not a computer account. This is because, in a Microsoft Active Directory Domain, a keytab file is only generated for user accounts, not computer or service accounts. Computer and service accounts manage their own passwords.

The Keytab file entry is encrypted with the Active Directory account password. Therefore, the keytab file must be regenerated whenever the Active Directory password is changed.

The user account must be associated with the service principal name (SPN) and is used by the Kerberos domain controller to generate and verify service tickets. The SPN is derived from the URL of the service to be accessed. For example, if the Openspace URL is https://amxpm.xyz.com:8080/openspace/openspace.html, then the SPN is HTTP/amxbpm.xyz.com@XYZ.COM.

The user account should have the following properties set:

  • User cannot change password
  • Password never expires

To configure an SPN account for the application server on the AD domain controller, you need to use the Windows Server 2003 Support Tools, setspn and ktpass. These are command line utilities that enable you to map the server user name to the application server and its HTTP service.

The steps to follow to configure an SPN account for an application server are:
  1. Assign the SPN to the Active Directory account using the setspn command.
  2. Repeat this command for any number of SPN to the same account.
  3. Generate a keytab file for the user account

Procedure

  1. Use the setspn command to assign the SPN to the Active Directory account. For example, setspn -S HTTP/amxbpm.xyz.com bpmservice.
    where:
    • HTTP/amxbpm.xyz.com is the derived from the URL of the service to be accessed. For example, if the Openspace URL is https://amxpm.xyz.com:8080/openspace/openspace.html, then the SPN is HTTP/amxbpm.xyz.com@XYZ.COM.
      Note: No reference to SSL is used in the SPN.
    • bpmservice is the name of the user account.
  2. Repeat this command to assign any number of SPNs to the same account. It may be necessary to assign several forms of the same SPN, with or without the domain and port number. For example, if the TIBCO ActiveMatrix BPM service is running on port 8080, the following SPN could be derived. 
    HTTP/amxbpm
HTTP/AMXBPM:8080
HTTP/amxbpm.xyz.com
HTTP/amxbpm.xyz.com:8080
  3. Generate a keytab file for the user account.
    For example: 
    ktpass
-princ HTTP/amxbpm.xyz.com@XYZ.COM
-mapuser xyz\bpmservice - pass Password
-out c:\bpmservice.keytab
-mapOp add
-crypto ALL
-pType KRB5_NT_PRINCIPAL
    where:
    Option Description
    princ The service principal name for which the keytab file is to be generated. This is case sensitive.
    Note: This must include the @DOMAIN name, in this example, @XYZ.COM.
    mapuser The name of the Active Directory account to which the SPN is associated. This command renames the user principal name (UPN) of the account (without the @DOMAIN element).
    pass The password of the Active Directory account.
    out The path and name of the keytab file to be created.
    mapOp Specifies how the SPN is applied to the account:
    • adds the value of the specified local user name. This is the default.
    • sets the value for data encryption standard (DES)-only encryption or the specified local username.
    crypto specifies the keys that are generated in the keytab file. ALL states that all supported cryptographic types can be used.
    pType Specifies the principal type. KRB%_NT_PRINICIPAL is the general principal type (recommended).