To enable a Domino® server to participate in Windows™ single sign-on for Web clients, an Active Directory administrator must use the Active Directory setspn utility to assign at least one service principal name (SPN) for the server to an Active Directory account. SPNs correspond to DNS names in server URLs (for example, www.renovations.com) that Web clients use to connect to the Domino server.

About this task

An SPN is a required part of the Domino server's identity in the Active Directory domain and is formatted as follows:

HTTP/<DNS_name>@<Active_Directory_Kerberos_realm>

For example:

HTTP/www.renovations.com@AD.EAST.RENOVATIONS.COM

When you assign an SPN, you are telling the Windows Kerberos Key Distribution Center (KDC) that Kerberos service tickets can be issued to Domino. On behalf of the Web user, a Web browser client can then send a Kerberos service ticket to Domino which is used to authenticate the Web user.

You must assign an SPN for each DNS name found in a URL used to connect to a Domino server. The following steps demonstrate how an SPN is used during the process of authenticating a Web user in a Windows single sign-on environment:

Procedure

1. A Web user enters a URL in a browser to connect to a Domino server participating in Windows single sign-on.

For example, the user enters the following URL:

http://www.renovations.com/names.nsf

For example, the browser constructs the following SPN:

HTTP/www.renovations.com@AD.EAST.RENOVATIONS.COM

The DNS name is www.renovations.com

The Active Directory domain that the Domino server machine belongs to is AD.EAST.RENOVATIONS.COM

4. The Web browser receives the service ticket and sends it to the Domino server.

5. The Domino server accepts the service ticket and authenticates the user.

Deciding which accounts to assign the SPNs to
You must decide which Active Directory account to assign a Domino server's SPNs to. The Domino server must log on under this account as a Microsoft Windows service.

Assigning SPNs using the domspnego utility
A command line utility, domspnego.cmd, is installed in the HCL Domino server installation directory to help automate the process of assigning SPNs to an Active Directory account.

Assigning SPNs without using the domspnego utility
In certain cases you might want to assign Service Principal Names (SPNs) manually, rather than using the Domino utility.

Examples of account choices and SPNs
This topic provides examples of using the setspn utility to assign Service Principal Names (SPNs) in Active Directory.

Verifying that the Domino server is logged on under the correct account
After you have assigned SPNs to an account, verify that the Domino server is logged on under that account.

Steps to set up the Windows service for Domino server

Procedure

1. Decide which Active Directory account to assign the SPNs to.

2. Optional: Assign the SPNs to the account. Optionally use the domspnego.cmd utility provided with Domino to help with this step.

3. Verify that the Domino server Windows service is logged on under the account.

Related concepts
Assigning SPNs using the domspnego utility
Assigning SPNs without using the domspnego utility

Related tasks
Deciding which accounts to assign the SPNs to
Verifying that the Domino server is logged on under the correct account
Setting up Windows single sign-on for Web clients

Related reference
Examples of account choices and SPNs

Related information
Troubleshooting Windows single sign-on for Web clients (SPNEGO)

Help on Help

All Help Contents

Help on Help