CCS 11.0 provides a batch file containing the Service Principal Names' (SPN) setup script. The SPN script file contains the set SPN commands to set the required SPNs for the CCS components. Provide the script file to the domain administrator to create the Service Principal Names. You can export the batch file during the CCS Suite installation or by using the VerifyDelegation utility located inside the <Install_Directory>\Application Server folder.
If you want to set the SPNs manually, perform the following procedure to set the SPNs.
Create SPNs for the Application Server Service and the Directory Service (DSS). The CCS SPNs are associated with the service accounts that are used by CCS. In a default Active Directory environment, only the domain administrators and the account operators have sufficient rights to create, modify, or delete SPNs.
Identify the user accounts that you want to use as the service account for the Application Server and the Directory Server.
Set up an SPN with the NetBIOS name and the fully qualified domain name (FQDN) of the domain user account in whose context the application pool executes. SPN can be set up from the Application Server or the DC. You must associate an SPN to a single user account.
Execute the following commands on the Windows Server 2003 or the Windows Server 2008 computers to set up an SPN:
SetSpn -A Symantec.CSM.AppServer/appserver_machine DomainName\appserver_account
SetSpn -A Symantec.CSM.AppServer/appserver_machine.fqdn DomainName\appserver_account
SetSpn -A Symantec.CSM.DSS/dss_machine DomainName\dss_account
SetSpn -A Symantec.CSM.DSS/dss_machine.fqdn DomainName\dss_account
appserver_machine: The NetBios name of the machine where the Application Server is installed.
DomainName\appserver_account: The domain name of Application Server service account.
dss_machine: The NetBios name of the machine where the Directory Service is installed.
DomainName\dss_account: The domain name of Directory Service account.
dss_machine.fqdn: The fully qualified domain name of the Directory Service computer.
Further, execute the following commands on the Windows Server 2003 or Windows Server 2008 computer where IIS 6 or IIS 7 is used. For IIS 7, you must execute these commands only in the following cases.
IIS 7 is used with Kernel Mode Authentication disabled.
IIS 7 is used with Kernel Mode Authentication enabled and the useAppPoolCredentials attribute set to TRUE.
By default, the Kernel Mode Authentication is enabled.
SetSpn.exe -A http\IIS_computer's_NetBIOS_name DomainName\UserName
SetSpn.exe -A http\IIS_computer's_FQDN DomainName\UserName
IIS_computer's_NetBIOS_name: The NetBIOS name of the IIS computer.
IIS_computer's_FQDN: The fully qualified domain name of the IIS computer.
DomainName\UserName: The domain name of Application Server service account.
You must set HTTP SPN on Windows Server 2008 computers where the IIS Host Header and the CCS Application Server name are not same.
Imported Document ID: HOWTO75233
Subscribing will provide email updates when this Article is updated. Login is required to Subscribe