NOTE: For Active Roles 7.x, the SPN value is ARAdminSvc. For 6.9 and below it’s arssvc
NOTE: Any Windows 10 machine that will be using the Web Interface will require Constrained Delegation. Windows 10 when joined to a domain will block Unconstrained Kerberos Delegation. Please see the following Microsoft Article here.
NOTE: Unconstrained delegation requires that the HTTP service principal names be configured for any URL used to access the Active Roles Web Interface. This includes the Active Roles Web Interface machine name as well as any alias or load-balanced URL used to access the Active Roles Web Interface.
NOTE: Troubleshooting this configuration is best done by enabling Kerberos logging on all relevant servers and clients by following this Microsoft solution.
If the ARWebAppPool in IIS is being run under the security context of a User account, run these commands:
If the ARWebAppPool in IIS is being run under the security context of a Computer account (like the default ApplicationPoolIdentity), run these commands:
Configure the Active Roles service account SPN (Service Principal Name)
Open a command prompt as administrator and run the following commands:
setspn -U -S ARAdminSvc/ActiveRolesServiceHost.domain.com domain\ActiveRolesServiceAccount
setspn -U -S ARAdminSvc/ActiveRolesServiceHost domain\ActiveRolesServiceAccount
There are two authentication paths which must be configured:
Active Roles Web Interface -> Microsoft SQL Service
The service account running the IIS AppPool on the Active Roles Web Interface host must have constrained delegation access to the MSSQLSvc SPN stored on the account running the Microsoft SQL Service.
Active Roles Web Interface -> Active Roles Administration Service -> Microsoft SQL Service
The service account running the IIS AppPool on the Active Roles Web Interface host must have constrained delegation access to the Active Roles SPN on the Active Roles Service Account. In addition, the service account running the Active Roles Administration Service must have constrained delegation access to the MSSQLSvc SPN stored on the account running the Microsoft SQL Service.
After all SPN's have been added to Active Directory, reboot the host machines to load the Active Directory changes.
Configure IIS server hosting Active Roles Web Interface
If you have any access issues, ensure the follow options are set in the browser.