Eksport (0) Cetak
Kembangkan Semua
EN
Kandungan ini tidak tersedia dalam bahasa anda tetapi berikut adalah versi Bahasa Inggeris.

Enable support for Kerberos authentication

Updated: December 30, 2007

Applies To: Windows Server 2008 R2, Windows Server 2012

If you plan to use Active Directory Rights Management Services (AD RMS) with Kerberos authentication, you must take additional steps to configure the server running AD RMS after installing the AD RMS server role and provisioning the server. Specifically, you must perform these procedures:

  • Set the Internet Information Services (IIS) useAppPoolCredentials variable to True

  • Set the Service Principal Names (SPN) value for the AD RMS service account

Membership in the AD RMS Enterprise Administrators and the Enterprise Admins group in AD DS, or equivalent, is the minimum required to complete this procedure.

Set the IIS useAppPoolCredentials value to True

  1. Open an elevated command prompt window. To open an elevated Command Prompt window, click Start , point to All Programs , click Accessories , right-click Command Prompt , and then click Run as administrator .

  2. Navigate to %windir%\system32\inetsrv.

  3. Type appcmd.exe set config -section:system.webServer/security/authentication/windowsAuthentication -useAppPoolCredentials:true .

ImportantImportant
To perform the following procedure successfully, the AD RMS service account must be in the same forest as the AD RMS cluster. Also, if you change the AD RMS service account, you must delete the SPN registrations for the previous service account and then perform this procedure for the new service account.

Set the Service Principal Names (SPN) value for the AD RMS service account

  1. Open an elevated command prompt window. To open an elevated Command Prompt window, click Start , point to All Programs , click Accessories , right-click Command Prompt , and then click Run as administrator .

  2. Type setspn -a HTTP/<ServerName> <ServiceAccountDomain>\<ServiceAccount> , where <ServerName> is the name of the server, <ServiceAccountDomain> is the name of the domain containing the AD RMS service account, and <ServiceAccount> is the name of the AD RMS service account.

  3. Type setspn -a HTTP/<ServerFQDN> <ServiceAccountDomain>\<ServiceAccount> , where <ServerFQDN> is the fully qualified domain name (FQDN) of the server.

  4. Type setspn -a HTTP/<ClusterName> <ServiceAccountDomain>\<ServiceAccount> , where <ClusterName> is the name of the AD RMS cluster.

  5. Type setspn -a HTTP/<ClusterFQDN> <ServiceAccountDomain>\<ServiceAccount> , where <ClusterFQDN> is the fully qualified domain name (FQDN) of the cluster.

noteNote
If the cluster is using Secure Sockets Layer (SSL), repeat steps 2 through 5, substituting HTTPS for HTTP.

Additional reference

Adakah anda mendapati ini membantu?
(Tinggal 1500 aksara)
Terima kasih atas maklum balas anda

Kandungan Komuniti

Tambah
Tunjukkan:
© 2014 Microsoft