Spotfire® Server and Environment - Installation and Administration

Registering Service Principal Names

Registering Service Principal Names (SPN) is the second step in configuring Spotfire Server for the Kerberos authentication method.

Procedure

  1. Log in to the computer as a domain administrator or a user who is a member of the built-in Account Operators domain group.
  2. From the Microsoft Support Tools package, use the setspn.exe command-line tool to register two SPNs for the Kerberos service account:
    • Execute the following two commands, replacing the variables as indicated in the table below the commands: 
      > setspn -S HTTP/<fully qualified hostname>[:<port>] <service account name>

> setspn -S HTTP/<hostname>[:<port>] <service account name>
    If the Spotfire Server is not listening on the default HTTP port 80 or the default HTTPS port 443, you should execute the setspn commands both with and without the port specified: 
    > setspn -S HTTP/<fully qualified hostname>[:<port>] <service account name>

> setspn -S HTTP/<hostname>[:<port>] <service account name>

> setspn -S HTTP/<fully qualified hostname> <service account name>

> setspn -S HTTP/<hostname> <service account name>
    Variable Description
    fully qualified hostname The fully qualified DNS hostname of the computer hosting Spotfire Server (in lowercase characters).
    hostname The short DNS hostname, without domain suffix, of the computer hosting Spotfire Server (in lowercase characters).
    service account name The user login name of the previously created Kerberos service account (in lowercase characters).
    port The TCP port number on which Spotfire Server is listening. This is not required if using the default HTTP port 80 or the default HTTPS port 443.
    Note: You must use the name of a DNS A record for Spotfire Server. A CNAME record will not work.
    Note: Avoid explicitly specifying the port number if Spotfire Server is using the default HTTP port 80.
    Note: It is recommended that you not have multiple Kerberos-enabled HTTP services on one computer.
    Registering Service Principal Names for the "spotsvc" Kerberos service account to be used by a Spotfire Server installed on the "spotfireserver.research.example.com" computer and listening on the default HTTP port 80 or the default HTTPS port 443: 
    > setspn -S HTTP/spotfireserver.research.example.com spotsvc

> setspn -S HTTP/spotfireserver spotsvc
    This creates the following two SPNs for the "spotsvc" service account:
    • HTTP/spotfireserver.research.example.com
    • HTTP/spotfireserver
    To list the resulting Service Principal Names for a Kerberos service account, execute the following command: 
    > setspn -L <service account name>
    For example, for the "spotsvc" Kerberos service account, the previous command looks like this: 
    > setspn -L spotsvc
Copyright © Cloud Software Group, Inc. All rights reserved.