You can configure the Nymi Enterprise Edition and Connected Worker Platform(CWP) solutions use Kerberos to authenticate service requests between components such as the NES server, user terminals and centralized Nymi Agent. Service principal names (SPNs) uniquely identifies the NES instance for HTTP and HTTPS communication.
When the SPN is not set correctly for the Application Pool Identity account, communication between the NES server and other components in the solution infrastructure to fail.
To troubleshoot and resolve SPN issues, perform the following step on the NES server:
-
Determine which account is assigned to the Application Pool Identity.
- Open IIS Manager and expand the server. Select Application Pools.
-
In the Application Pools table, make note of the account that is specified in the Identity column.
In the following example, the Application Pool Identity is LocalSystem.
-
Open a command prompt as Administrator, and then type the following command to view the existing SPN entries that are associated with the Application Pool Identity account:
setspn -l %computername% | App_Pool_IdentityNote: Only include | App_Pool_Identity if the Application Pool Identity is not a local account, such as NetworkService, or LocalSystem.The following output provides an example of correctly configured SPNs, which include the HTTP entries:
Registered ServicePrincipalNames for CN=TW-SRV2,CN=Computers,DC=TW-Lab,DC=local: HTTP/Tw-Srv2.tw-lab.local HTTP/TW-SRV2 WSMAN/TW-Srv2 WSMAN/TW-Srv2.TW-Lab.local RestrictedKrbHost/TW-SRV2 HOST/TW-SRV2 RestrictedKrbHost/TW-Srv2.TW-Lab.local HOST/TW-Srv2.TW-Lab.local
-
If the HTTP SPN is not set to the correct Application Pool Identity, delete the existing entries by typing the following commands:
setspn -d HTTP/%computername% %computername% setspn -d HTTP/%computername%.%userdnsdomain% %computername%
where %userdnsdomain% is replaced with the DNS name or Fully Qualified Domain Name (FQDN) of the NES domain if the If the user account that is performed the setspn command is a member of a domain that differs from domain.
-
Type the following commands to set the SPN to the Application Pool Identity account:
setspn -S HTTP/nes_hostname:port nes_hostname | App_Pool_Identity setspn -S HTTP/nes_hostname.domain:port nes_hostname | App_Pool_Identity
Where:
- nes_hostname is the hostname of the NES server.
- :port is required only when NES is not configured for traffic on the standard ports (HTTP/80, HTTPs/443) domain is replaced with the DNS name or Fully Qualified Domain Name (FQDN) of the NES domain if the user account that is performing the setspn command is a member of a domain that differs from the NES domain.
- App_Pool_Identity is the name of the Application Pool Identity account.
When the command completes successfully, output similar to the following appears.Checking domain DC=TW-Lab,DC=local Registering ServicePrincipalNames for CN=TW-SRV2,CN=Computers,DC=TW-Lab,DC=local HTTP/Tw-Srv2.tw-lab.local Updated object
-
If the NES server is clustered and netBIOS domain name of the NES server differs from the FQDN of the public domain, type the following command:
setspn -S HTTP/%computername%.publicdomain:port# %computername% | App_Pool_Identity
where:
- nes_hostname is the hostname of the NES server.
- :port is required only when NES is not configured for traffic on the standard ports (HTTP/80, HTTPs/443)
- publicdomain is replaced with the FDQN domain name of NES cluster.
- App_Pool_Identity is the name of the Application Pool Identity account.
Comments
0 commentsPlease sign in to leave a comment.