Part 1: Configure the Active Roles service account SPN (Service Principal Name)
setspn -S ArAdminSvc/ActiveRolesServiceHost.domain.com GMSAName$
setspn -S ArAdminSvc/ActiveRolesServiceHost GMSAName$
Example: To configure the SPN for a server named ActiveRoles01 in the domain.local domain which is using a gMSA named ARGMSA:
setspn -S ArAdminSvc/ActiveRoles01.domain.local ARGMSA$
setspn -S ArAdminSvc/ActiveRoles01 ARGMSA$
Part 2: Authentication paths
There are two authentication paths which must be configured:
Active Roles Web Interface -> Microsoft SQL Service
The service account running the IIS AppPool on the Active Roles Web Interface host must have constrained delegation access to the MSSQLSvc SPN stored on the account running the Microsoft SQL Service.
Active Roles Web Interface -> Active Roles Administration Service -> Microsoft SQL Service
The service account running the IIS AppPool on the Active Roles Web Interface host must have constrained delegation access to the ArAdminSvc SPN on the Active Roles Service Account. In addition, the service account running the Active Roles Administration Service must have constrained delegation access to the MSSQLSvc SPN stored on the account running the Microsoft SQL Service.
When configuring delegation for a gMSA, there is no standard Delegation tab in Active Directory Users and Computers like there is for a Computer or User account. Instead, it is necessary to update two attributes on the gMSA manually using Active Directory Users and Computers or the Active Roles Console, if Active Roles is already configured.
msDS-AllowedToDelegateTo needs to be updated with the SPN of the delegated service.
So, the msDS-AllowedToDelegateTo attribute on the IIS gMSA needs to have entries for both the MSSQLSvc and ArAdminSvc SPN's.
The msDS-AllowedToDelegateTo attribute on the Active Roles gMSA needs to have entries for the MSSQLSvc SPN.
It may also be necessary to adjust the userAccountControl attribute value on the gMSA as well. This is used to control the authentication protocol used.
The value for just Kerberos is 4096, and the value to use any authentication protocol it is 16781312. For constrained delegation, set the value to 4096.
In some environments, it may be necessary to use a different value if advanced functionality is desired. For more information on possible values for the userAccountControl attribute, please see this Microsoft resource or contact Microsoft for more information.
IMPORTANT: After all SPN's have been added to Active Directory, reboot the host machines to load the Active Directory changes.
Part 3: Configure IIS server hosting Active Roles Web Interface
- In Internet Information Server (IIS), navigate to the website, such as ARWebHelpDesk
- Double-click Authentication
- Ensure only Windows Authentication and ASP.NET Impersonation are enabled (and using default settings)
- Reboot the Web Interface host.
Part 4: If experiencing access issues, ensure the follow options are set in Internet Explorer.
- Configure IE (Internet Explorer) settings to allow Automatic Logon in Intranet Zone
- In IE settings, add the domain as a trusted site. Navigate to Security | Local Intranet
- Click Sites and then Advanced
- Add in the Domain, such as *.domain.local