You are here: FME Server Administrator's Guide > Securing FME Server > Configuring Integrated Windows Authentication > Updating the Windows Domain Configuration

Updating the Windows Domain Configuration

To configure FME Server to use single sign-on authentication, the Windows domain must recognize FME Server as a domain service. Two steps are required:

  1. Represent FME Server as a domain service by assigning it a service principal name (SPN).
  2. Register the SPN (or SPNs) to the service account.

Assigning a Service Principal Name

An SPN has the form: <service>/<host>, where:

<service> is the service type. In the context of FME Server, this is http.

<host> is the name of the machine hosting FME Server's web application server. To provide flexibility, we suggest assigning both the unqualified and fully-qualified versions of the host name.

To obtain the unqualified and fully-qualified versions of the host name:

  1. From a domain computer, click the Start menu, right-click 'Computer' or 'My Computer' and select 'Properties'.
  2. For the unqualified host name, refer to 'Computer name'.
  3. For the fully-qualified host name, refer to 'Full computer name'.

For example, if the unqualified host name is 'fmeserver' and the fully-qualified host name is 'fmeserver.domain.net', the SPNs are:

To register an SPN to a service account:

  1. From the domain controller, open a command prompt (cmd.exe) via the Start menu.
  2. Type setspn -A <spn> <account> to register the SPN to the service account.
  3. Ensure that the command succeeded with the message 'Updated object'. If the message 'Unable to locate account ...' appears, the account name is incorrectly specified.
  4. Repeat until all SPNs are added.

For example, using the SPNs in the previous example, and supposing the service account is 'fmeserveradmin', the following commands would be entered:

setspn -A http/fmeserver fmeserveradmin

setspn -A http/fmeserver.domain.net fmeserveradmin

Safe Software Inc. www.safe.com