Add HTTP principal to service account
If the below microsoft official document feels complicated, then scroll down.
Definition of SPN
An SPN is the name by which a client uniquely identifies an instance of a service.
If you install multiple instances of a service on computers throughout a forest, each service instance must have its own SPN.
A particular service instance can have multiple SPNs if there are multiple names that clients might use for authentication.
- The HTTP service class
The HTTP service class differs from the HTTP protocol.
Both the HTTP protocol and the HTTPS protocol use the HTTP service class.
Be aware that the SPN syntax uses a forward slash character (/) to separate elements.
Therefore, the forward slash character (/) cannot appear in a service class name.
- The HOST service and the HTTP service class
The Kerberos protocol uses the HOST SPN to access the host computer.
The Kerberos protocol uses the long-term key on the host computer to create a service ticket.
The HTTP service class is one of the built-in services that act as an alias to the HOST SPN.
The HOST SPN is mapped to the host computer account.
Therefore, when you use the default HTTP service class, the Kerberos protocol uses the computer account as the service account to request a service ticket.
- What all this really means?
See from previous post we received:
Service Account Name
Service Account Password
Now we want to enable kerberos or auto login to a website.
This website will have a fully qualified domain name, example:
So now let us add this website name to the service account.
For this ask system administrator to run the below commands.
- Command to add dev and test environment fully qualified domain name to domain\serviceaccount
1 2 3 $ setspn -S HTTP:/local-dev-environment.domain dummydomain\myserviceaccount $ setspn -S HTTP:/local-test-environment.domain dummydomain\myserviceaccount
Now this HTTP:/fully qualified domain name is known as HTTP principal
- Command to view that link has been done correctly
1 2 3 4 $ setspn -L dummydomain\myserviceaccount HTTP:/local-dev-environment.domain HTTP:/local-test-environment.domain
- Command to delete the link
In case of mistake during linking, link can be deleted using the below command
1 $ setspn -D HTTP:/local-dev-environment.domain dummydomain\myserviceaccount