Registering Service Principal Names
Registering Service Principal Names (SPN) is the second step in configuring Spotfire Server for the Kerberos authentication method.
Procedure
- Log in to the computer as a domain administrator or a user who is a member of the built-in Account Operators domain group.
-
From the Microsoft Support Tools package, use the
setspn.exe command-line tool to register two SPNs
for the Kerberos service account:
- Execute the following
two commands, replacing the variables as indicated in the table below the
commands:
> setspn -S HTTP/<fully qualified hostname>[:<port>] <service account name> > setspn -S HTTP/<hostname>[:<port>] <service account name>
If the Spotfire Server is not listening on the default HTTP port 80 or the default HTTPS port 443, you should execute thesetspn
commands both with and without the port specified:> setspn -S HTTP/<fully qualified hostname>[:<port>] <service account name> > setspn -S HTTP/<hostname>[:<port>] <service account name> > setspn -S HTTP/<fully qualified hostname> <service account name> > setspn -S HTTP/<hostname> <service account name>
Variable Description fully qualified hostname The fully qualified DNS hostname of the computer hosting Spotfire Server (in lowercase characters). hostname The short DNS hostname, without domain suffix, of the computer hosting Spotfire Server (in lowercase characters). service account name The user login name of the previously created Kerberos service account (in lowercase characters). port The TCP port number on which Spotfire Server is listening. This is not required if using the default HTTP port 80 or the default HTTPS port 443. Note: You must use the name of a DNS A record for Spotfire Server. A CNAME record will not work.Note: Avoid explicitly specifying the port number if Spotfire Server is using the default HTTP port 80.Note: It is recommended that you not have multiple Kerberos-enabled HTTP services on one computer.Registering Service Principal Names for the "spotsvc" Kerberos service account to be used by a Spotfire Server installed on the "spotfireserver.research.example.com" computer and listening on the default HTTP port 80 or the default HTTPS port 443:
This creates the following two SPNs for the "spotsvc" service account:> setspn -S HTTP/spotfireserver.research.example.com spotsvc > setspn -S HTTP/spotfireserver spotsvc
- HTTP/spotfireserver.research.example.com
- HTTP/spotfireserver
For example, for the "spotsvc" Kerberos service account, the previous command looks like this:> setspn -L <service account name>
> setspn -L spotsvc
- Execute the following
two commands, replacing the variables as indicated in the table below the
commands:
Parent topic: Setting up Kerberos authentication on Spotfire Server
Previous topic: Creating a Kerberos service account