Updating the Windows Domain Configuration

To configure FME Server to use single sign-on authentication, the Windows domain must recognize FME Server as a domain service. Three steps are required:

  1. Represent FME Server as a domain service by assigning it a service principal name (SPN).
  2. Register the SPN (or SPNs) to the service account.
  3. Ensure that the service account requires Kerberos pre-authentication.

A) Assign a Service Principal Name

An SPN has the form: <service>/<host>, where:

<service> is the service type. In the context of FME Server, this is http.

<host> is the name of the machine hosting FME Server's web application server. To provide flexibility, we suggest assigning both the unqualified and fully-qualified versions of the host name.

To obtain the unqualified and fully-qualified versions of the host name:

  1. From the FME Server host machine, click the Start menu, right-click 'Computer' or 'My Computer' and select 'Properties'.
  2. For the unqualified host name, refer to 'Computer name'.
  3. For the fully-qualified host name, refer to 'Full computer name'.

For example, if the unqualified host name is 'MyETLServer' and the fully-qualified host name is 'MyETLServer.domain.net', the SPNs are:

  • http/MyETLServer
  • http/MyETLServer.domain.net

B) Register an SPN to a Service Account

  1. From the Domain Controller, open a command prompt (cmd.exe) via the Start menu.
  2. Type setspn -S <spn> <account> to register the SPN to the service account.
  3. Ensure that the command succeeded with the message 'Updated object'. If the message 'Unable to locate account ...' appears, the account name is incorrectly specified.
  4. Repeat until all SPNs are added.

For example, using the SPNs in the previous example, and supposing the service account is 'fmeserveradmin', the following commands would be entered:

setspn -S http/MyETLServer fmeserveradmin

setspn -S http/MyETLServer.domain.net fmeserveradmin

C) Ensure the Service Account Requires Kerberos Pre-authentication:

  1. From the Domain Controller, open 'Active Directory Users and Computers' via the Start menu.
  2. In the console tree, navigate to the service account.
  3. Right-click the service account, and select Properties.
  4. Select the Account tab.
  5. Under Account Options, scroll to the bottom and ensure that 'Do not require Kerberos preauthentication' is unchecked.
  6. Click Ok.