on 07-22-2009 3:38 PM
We are looking to use AD authentication to pass through into the UME in NWA CE 7.1
When following the steps we have created the service user in AD and then are looking to register service principal names (SPNs) for the J2EE Engine host name and alias and map them to the service user xxxxx
We then get the following response:
C:\Program Files\Support Tools>setspn -A HTTP/<server name> <account name>
Usage: setspn [switches data] computername
Where "computername" can be the name or domain\name
Switches:
-R = reset HOST ServicePrincipalName
Usage: setspn -R computername
-A = add arbitrary SPN
Usage: setspn -A SPN computername
-D = delete arbitrary SPN
Usage: setspn -D SPN computername
-L = list registered SPNs
Usage: setspn [-L] computername
Examples:
setspn -R daserver1
It will register SPN "HOST/daserver1" and "HOST/{DNS of daserver1}"
setspn -A http/daserver daserver1
It will register SPN "http/daserver" for computer "daserver1"
setspn -D http/daserver daserver1
It will delete SPN "http/daserver" for computer "daserver1"
What is happening and what is our next step?
Colin Cooper
Hello Colin,
You can find all steps to configure the SPNego on following SAP help documentation:
http://help.sap.com/saphelp_nwpi71/helpdata/en/45/40a0de773a7527e10000000a114a6b/frameset.htm
I hope it helps you.
Kind regards,
Lisandro Magnus
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Lisandro,
We have been following those steps and are in Step 1 Prerequisites.
The responses shown in my post are what we get back once we have executed the setspn -a HTTP/portal.customer.de j2ee-<SID> command.
We were expecting a response that would show that that service is registered.
Is the response we got back normal?
Colin Cooper
Hello Colin,
The response you get back indicates that the setspn tool detected an error in the attributes.
When the command is succesfull, you will get a message saying that registering the SPN is succesfull.
When using the setspn.exe tool, make sure you are logged on with Domain admin rights. I always run the tool on the domain controller itself.
Try including the domain name when you enter the service account, the command should read like this:
setspn -a HTTP/portal.customer.de DOMAIN\j2ee-SID
Replace portal.customer.de with the DNS name for your server, repeat the command with the different DNS names if you have more then one DNS name.
Replace DOMAIN with the name of your windows domain.
Replace j2ee-SID with the User Logon Name of your service account.
Make sure there are no spaces or special signs in the User Logon Name !
On Windows servers, the usage of SPNs is not case sensitive, but when calling the service from non-window systems, it is !
For more info on the setspn tool, look here:
[http://technet.microsoft.com/en-us/library/cc773257(WS.10).aspx]
I hope this helps.
Dagwin
Dagwin,
Thanks for your suggestion.
We are logged in as the domain admin and run the command on the domain controller machine. We can try adding the domain name before the user name.
We tried recreating the situation in a test instance where we used an invalid user account and in this instance we get a response telling us that it cannot locate the account. However in the system we don't get this response which suggests that the user has been located but that something else is not correct. The output we get is the same as if we issue the command without parameters!
Any ideas?
Thanks
Colin Cooper
Hi,
If you get the same output as without parameters it means the command is still not correct...
This usually happens when the program doesn't recognize one of the parameters used.
Any special characters in the account name like a . or a space or something in the account or host name? If so, try putting the name between "<name>". It's better to avoid this however.
Try this command to see if it's already registered or not:
setspn -l <hostname_server>
You might try creating a new account where you only fill in the last name.
The "Full name" of an account is created automatically from the last name and first name. Changing last and/or first name later will NOT change the full name of the account, which can cause problems.
Kind regards,
Dagwin
User | Count |
---|---|
87 | |
23 | |
11 | |
9 | |
8 | |
5 | |
5 | |
5 | |
5 | |
4 |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.