SETSPN command clarifications

server administration XI Server Discussion
1

In the XI 3.1 SP3 admin guide, page 503, the SETSPN command which is
used as part of the setup process to establish a service account to
enable AD authentication is outlined as follows:

SETSPN.exe -A /

The guide suggests that the can be anything you want to
arbitrarily assign. If I choose something other than the
suggested “BOBJCentralMS” value, is there anywhere else I have to
specify this value to allow the service account to function properly?

The guide suggests that the should be the domain name on
which the service account exists however I’ve seen many posts online which seem to
indicate this should actually be the FQDN of the server
running the CMS service instead of the general domain name.
Clarification there would be very helpful if anyone has some insight.

Jeremy Rogers :us: (BOB member since 2003-07-01)

2

I recently went through this on a proof of concept machine. We did the following to get everything working on a single machine install:

C:>setspn -a BOBJCentralMS/[doman netbios name] [account]

C:>setspn -a BOBJCentralMS/[ad domain name] [account]

C:>setspn -a HTTP/[machine netbios name] [account]

C:>setspn -a HTTP/[machine fqdn name] [account]

We decided to do all four after reading that information in the BO doc on implementing Vintela SSO. Even though we’re not doing the SSO, I found the discussion of AD authentication to be much more complete than what what was in the admin guide.

dcartwright (BOB member since 2008-11-01)

3

C:>setspn -a BOBJCentralMS/COMPANY [account]

C:>setspn -a BOBJCentralMS/COMPANY.COM [account]

So did your first two commands wind up looking something like the above? Without the actual server name running the application services in there anywhere?

Also that domain name should be the domain on which [account] exists correct? Not necessarily the domain the app server itself is on if I understand the documentation correctly.

Jeremy Rogers :us: (BOB member since 2003-07-01)

4

The first two commands look very much like that.

Yes, to the second question as well. Though if your server resides on a different domain than the account, you’ll want to verify the trusts between the domains are two way, transitive trusts.

dcartwright (BOB member since 2008-11-01)

5

You don’t happen to have the link to that vintela sso document off hand do you? Trying to locate stuff on their web site is like trying to find a piece of hay in a needlestack…

I know you can’t post the actual document (copyright issues) but a link would be awesome if you have it, I’ve got a login for their site.

Jeremy Rogers :us: (BOB member since 2003-07-01)

6

I don’t have a link. Sorry. If it helps in finding the doc, the author is named Tim Ziemba.

dcartwright (BOB member since 2008-11-01)

7

I think that this is the link you are looking for. Not sure why it’s coming down without the .pdf extension. Just rename it and add a .pdf after you download it.

clarence (BOB member since 2005-11-18)

8

Thanks clarence.

You can include any (not necessarily BOBJCentralMS) and it should work.

You need to specify the SPN settings in CMC > Authentication > Windows AD > ServicePrincipalName area as /BOServer.fully.qualified.domain.name.com

SPN’s are needed for all the CMS - for MANUAL Active Directory logon.

Note - SPNs must be registered under the computer name. :wave:

nicholas (BOB member since 2008-07-31)