How to Configure an SPN Account for an Active Directory Domain Controller
This applies to Windows only. You must restrict and monitor permissions on any Kerberos keytab files you use as part of your Kerberos configuration.
TIBCO recommends that you create a regular user account for the server in the Active Directory domain. It must be a user account, not a computer account. This is because, in a Microsoft Active Directory Domain, a keytab file is only generated for user accounts, not computer or service accounts. Computer and service accounts manage their own passwords.
The Keytab file entry is encrypted with the Active Directory account password. Therefore, the keytab file must be regenerated whenever the Active Directory password is changed.
The user account must be associated with the service principal name (SPN) and is used by the Kerberos domain controller to generate and verify service tickets. The SPN is derived from the URL of the service to be accessed. For example, if the Openspace URL is https://amxpm.xyz.com:8080/openspace/openspace.html, then the SPN is HTTP/amxbpm.xyz.com@XYZ.COM.
The user account should have the following properties set:
To configure an SPN account for the application server on the AD domain controller, you need to use the Windows Server 2003 Support Tools, setspn and ktpass. These are command line utilities that enable you to map the server user name to the application server and its HTTP service.