How to verify CCS SPN (Service Principal Name) settings for CCS (Control Compliance Suite)?
Last Updated May 06, 2016
CCS requires the use of SPN's. Here is a tool you can use to create or check them.
There are 3 ways to use the tool;
Scan for users with SPN's
Scan for Duplicate SPN's
To launch the CCS SPN Utilities
Typically the tool can be found in the following directory on the CCS Application server.
C:\program files (x86)\Symantec\CCS\Reporting and Analytics\Application server\CCSSPNUtil.exe
Once executed the following window will open;
Scan for users with SPN's
Select "scan for users with SPN's" and a pop-up will show asking for credentials. Just to check SPN's - any domain user should work. Domain administrative credentials are required to change or add SPNs
In the example above the Active Directory domain is "CCS02" and the domain admin "administrator" credentials are used.
Once authenticated to active directory he tool will list all users with SPN's set - even SPN's that are not related to CCS.
In the example above the service account for the application server is selected "App_service_account" - this is the account that the CCS application server service is running with. This example shows that the "Symantec.CSM.AppServer" SPN is correctly set for both NetBIOS and FQDN of the application server. It also shows the HTTP entry - this entry is only necessary if the CCS Web Console (IIS) is running on a Windows 2003 server. The HTTP entry should not be added for Windows 2008 or 2008 R2 servers serving the CCS Web Console (see the CCS Planning and Deployment Guide for more details) if IIS is set to kernal mode authentication (default setting).
NOTE: In these examples the CCS Directory server and the CCS application server are running on different Windows servers using a different service account. This configuration is only supported in CCS 10.x or upgrades from 10.x to 11.0.
In the above example the service account for the directory server is selected "DSS_service_account" - this is the account that the CCS directory server service is running with. This example shows that the "Symantec.CSM.DSS" SPN is correctly set for both NetBIOS and FQDN of the directory server.
Scanning for Duplicate SPN's
An SPN can only be associated with one user account on any given machine. So for instance if the SPN Symantec.CSM.DSS/adam02.ccs02.local is associated with more than one user account you will run into problems. To search for duplicate SPN's click on the "scan for Duplicate SPN's. A pop-up asking for credentials will show, to check for duplicate SPN's - any domain user will do - you only need domain administrative credentials in case of changing, removing or adding SPN's
In the above example there are no duplicate SPN entries.
Adding an SPN
Use the CCS SPN Utility to add SPN's. To add an SPN's click on the "Add SPN" link. A pop-up asking for credentials will show, to add SPN's domain administrative credentials will be required.
In the example above an SPN for just the CCS Application server is being created and associated with the App_Service_Account account.
The application server and directory server can run with the same service account or indeed on the same computer (CCS 11.x requirement). In such a situation the above screen shots would look different but could still be correct. The purpose of the SPN entry is to link a service name with a service account and indicate that it is running on a certain computer. Please see the Control Compliance Suite Planning and Deployment Guide for more details.
In the situation where the Directory server and Application server are running on the same machine and under the same account the following four SPN entries should be displayed in the tool:
Imported Document ID: TECH134268
Subscribing will provide email updates when this Article is updated. Login is required to Subscribe