Skip to content

Setting an SPN attribute

There are the following options for setting the SPN attribute:

Automatic method

The AD user under which the VDog MasterService is started has read and write permissions in the Active Directory. octoplant sets the attribute itself if it has sufficient authorization.

Manual method

The domain administrator writes the SPN attribute in the Active Directory to the user under which the VDog MasterService is started. Use the following SPN format: http://{server name}.{FQDN}.

Create all SPNs

An SPN for every server address of all client configurations has to be added.

Procedure using the ADSI editor

  1. Open the ADSI editor on the domain controller: Steps: Control Panel > System and Security > Administration > ADSI Editor.
  2. Connect to the domain of the server.
  3. search for the User of the Service and open the Properties (right-click).
  4. In the Attribute Editor, search for the servicePrincipalName entry and click Edit.
  5. Enter the Service Principal Name (SPN) for each server. Format: http://{server name}.{FQDN}.
  6. Restart the Services.

  7. SSO is now working.

    Figure: ADSI editor, store SPN

Procedure using a command line

The setspn command can be used to add an SPN for an octoplant server.

Details

Go to the Microsoft documentation for details of the setspn command.

Case sensitivity

Arguments for the setspn command are case sensitive.

  • To list existing SPNs for an account use the following command:

    setspn -L {username}

    The following image shows the results of this command:

    Figure: SPN Add user

  • To add when the VDog MasterService runs under a special user account, use this command:

    setspn -s http://{server name} {user name}

    The following image shows the results of this command:

    Figure: SPN Special user

  • To add when the VDog MasterService runs under a system account, use this command:

    setspn -s http://{server name} {computer name}

    The following image shows the results of this command:

    Figure: SPN System Account

  • Adding an SPN that already exists will result in a conflict. The following image shows an example of a conflict:

    Figure: SPN Conflict

    When this happens, ask if the SPN is needed for the entity that is shown.

    • If the answer is no:

      1. Remove it by running this command:

        setspn -d http://{server name}

        The following image shows the results of this command:
        Figure: SPN System Account

      2. Verify that is has been removed by running setspn -L {username}.

    • If the answer is yes, another server name has to be defined for the application or service, or for octoplant :

      setspn -s http://{additional server name} {user name}