Troubleshooting SPN issues

The Nymi Enterprise Edition and Connected Worker Platform solutions uses Kerberos to authenticate service requests between components such as the NES server, user terminals and centralized Nymi Agent.  Service principal names (SPNs) uniquely identifies the NES instance for  HTTP and HTTPS communication.  

When the SPN is not set correctly for the Application Pool Identity account, communication between the NES server and other components in the solution infrastructure fail. 

To troubleshoot and resolve SPN issues, perform the following step on the NES server:

1. Determine which account is assigned to the Application Pool Identity.

a. Open IIS Manager and expand the server.  Select Application Pools.

b. In the Application Pools table, make note of the account that is specified in the Identity column.  In the following example, the Application Pool Identity is LocalSystem.

mceclip0.png 

2. Open a command prompt as Administrator, and then type the following command to view the existing SPN entries that are associated with the Application Pool Identity account:

setspn -l %computername% | App_Pool_Identity

NOTE: Only include | App_Pool_Identity if the Application Pool Identity is not a local account, such as NetworkService, or LocalSystem.

The following output provides an example of correctly configured SPNs, which include the HTTP entries:

Registered ServicePrincipalNames for CN=TW-SRV2,CN=Computers,DC=TW-Lab,DC=local:
HTTP/Tw-Srv2.tw-lab.local
HTTP/TW-SRV2
WSMAN/TW-Srv2
WSMAN/TW-Srv2.TW-Lab.local
RestrictedKrbHost/TW-SRV2
HOST/TW-SRV2
RestrictedKrbHost/TW-Srv2.TW-Lab.local
HOST/TW-Srv2.TW-Lab.local

3. If the HTTP SPN is not set to the correct Application Pool Identity, delete the existing entries by typing the following commands:

setspn -d HTTP/%computername% %computername%
setspn -d HTTP/%computername%.%userdnsdomain% %computername%
where  %userdnsdomain% is replaced with the DNS name or Fully Qualified Domain Name (FQDN) of the NES domain if the If the user account that is performed the setspn command is a member of a domain that differs from domain.

4. Type the following commands to set the SPN to the Application Pool Identity account:

setspn -S HTTP/nes_hostname:port nes_hostname | App_Pool_Identity
setspn -S HTTP/nes_hostname.domain:port nes_hostname | App_Pool_Identity

where:

  • nes_hostname is the hostname of the NES server.
  • :port is required only when NES is not configured for traffic on the standard ports (HTTP/80, HTTPs/443)
  • domain is replaced with the DNS name or Fully Qualified Domain Name (FQDN) of the NES domain if the If the user account that is performing the setspn command is a member of a domain that differs from the NES domain.
  • App_Pool_Identity is the name of the Application Pool Identity account.

When the command completes successfully, output similar to the following appears.

Checking domain DC=TW-Lab,DC=local

Registering ServicePrincipalNames for CN=TW-SRV2,CN=Computers,DC=TW-Lab,DC=local
HTTP/Tw-Srv2.tw-lab.local
Updated object

5. If the NES server is clustered and netBIOS domain name of the NES server differs from the the FQDN of the public domain, type the following command:

 setspn -S HTTP/%computername%.publicdomain:port# %computername% | App_Pool_Identity

Where:

  • nes_hostname is the hostname of the NES server.
  • :port is required only when NES is not configured for traffic on the standard ports (HTTP/80, HTTPs/443)
  • publicdomain is replaced with the FDQN domain name of NES cluster.
  • App_Pool_Identity is the name of the Application Pool Identity account.

 

Articles in this section

Was this article helpful?
0 out of 0 found this helpful
Share