Updating the Windows Domain Configuration

To configure FME Flow to use single sign-on authentication, the Windows domain must recognize FME Flow as a domain service. The following steps are required:

  1. Represent FME Flow as a domain service by assigning it a service principal name (SPN).
  2. Register the SPN (or SPNs) to the service account.
  3. Ensure that the service account requires Kerberos pre-authentication.
  4. Ensure your domain controllers do not allow RC4 encryption.

A) Assign a Service Principal Name

An SPN has the form: <service>/<host>, where:

<service> is the service type. In the context of FME Flow, this is http.

<host> is the name of the machine hosting FME Flow's web application server. To provide flexibility, we suggest assigning both the unqualified and fully-qualified versions of the host name.

Note  If FME Flow is configured for access through a DNS alias (CNAME), SPNs must also be registered using this alias.

To obtain the unqualified and fully-qualified versions of the host name:

  1. From the FME Flow host machine, click the Start menu, right-click 'Computer' or 'My Computer' and select 'Properties'.
  2. For the unqualified host name, refer to 'Computer name'.
  3. For the fully-qualified host name, refer to 'Full computer name'.

For example, if the unqualified host name is 'MyETLServer' and the fully-qualified host name is 'MyETLServer.domain.net', the SPNs are:

  • http/MyETLServer
  • http/MyETLServer.domain.net

B) Register an SPN to a Service Account

  1. From the Domain Controller, open a command prompt (cmd.exe) via the Start menu.
  2. Type setspn -S <spn> <account> to register the SPN to the service account.
  3. Ensure that the command succeeded with the message 'Updated object'. If the message 'Unable to locate account ...' appears, the account name is incorrectly specified.
  4. Repeat until all SPNs are added.

For example, using the SPNs in the previous example, and supposing the service account is 'fmeflowadmin', the following commands would be entered:

setspn -S http/MyETLServer fmeflowadmin

setspn -S http/MyETLServer.domain.net fmeflowadmin

C) Ensure the Service Account Requires Kerberos Pre-authentication:

  1. From the Domain Controller, open 'Active Directory Users and Computers' via the Start menu.
  2. In the console tree, navigate to the service account.
  3. Right-click the service account, and select Properties.
  4. Select the Account tab.
  5. Under Account Options, scroll to the bottom and ensure that 'Do not require Kerberos preauthentication' is unchecked.
  6. Click Ok.

D) Ensure Your Domain Controllers do not Allow RC4 Encryption

If the domain controller local policy or group policy allows RC4 encryption, and this policy cannot be changed, you can allow FME Flow to use less secure encryption:

  1. On the FME Flow machine navigate to <FMEFlowDir>\Utilities\jre\conf\security
  2. Create a new file called krb5.conf
  3. Edit the new file with the following text and save:

    4. [libdefaults]

    allow_weak_crypto = true

  4. Restart FME Flow.