Starting with version 6.0, ActiveRoles Server supports Kerberos authentication with the Administration Service (in addition to NTLM authentication). However, some additional configuration steps are required to enable the Administration Service to support Kerberos authentication.
Support for Kerberos authentication, in conjunction with Kerberos delegation, allows the Web Interface to use Integrated Windows authentication rather than Basic authentication in the situation where the Web Interface and the Administration Service are running on different computers. For instructions on how to enable this functionality in the Web Interface, please see Using Kerberos authentication with Integrated Windows authentication in Web Interface
Steps to enable Kerberos authentication for administration service
Beginning with version 6.0, the Administration Service uses service principal names (SPNs) in the form "arssvc/hostname" for Kerberos authentication. So, to enable Kerberos authentication, you have to register the appropriate service principal names (SPNs) with the user account that the Administration Service uses to log on (service account).
For example, in an environment where:
· "ars1.example.org" is the DNS name of the computer running the Administration Service
· "ars1" is the NetBIOS name of the computer running the Administration Service
· "example\ArsSvcAcct" is the logon name of the service accountyou have to register the following service principal names with the "example\ArsSvcAcct" user account:
You can register the service principal names by using the SetSpn utility as follows. The utility is included with Windows Support Tools.
1. Add the SPN for the Administration Service computer's DNS name to the Administration Service's service account by using the following command-line syntax:
setspn -A "arssvc/" "\"
setspn -A "arssvc/ars1.example.org" "example\ArsSvcAcct"
2. Add the SPN for the Administration Service computer's NetBIOS name to the Administration Service's service account by using the following command-line syntax:
setspn -A "arssvc/" "\"
setspn -A "arssvc/ars1" "example\ArsSvcAcct"
3. Repeat steps 1-2 for each additional Administration Service that uses the same service account.
4. Verify that the SPNs have been properly registered:
setspn -L "\"
setspn -L "example\ArsSvcAcct"
5. Reboot the Web Interface host.