Eksporter (0) Skriv ut
Vis alt
EN
Dette innholdet er ikke tilgjengelig på ditt språk, men her er den engelske versjonen.

Enable support for Kerberos authentication

Updated: December 30, 2007

Applies To: Windows Server 2008 R2, Windows Server 2012

If you plan to use Active Directory Rights Management Services (AD RMS) with Kerberos authentication, you must take additional steps to configure the server running AD RMS after installing the AD RMS server role and provisioning the server. Specifically, you must perform these procedures:

  • Set the Internet Information Services (IIS) useAppPoolCredentials variable to True

  • Set the Service Principal Names (SPN) value for the AD RMS service account

Membership in the AD RMS Enterprise Administrators and the Enterprise Admins group in AD DS, or equivalent, is the minimum required to complete this procedure.

Set the IIS useAppPoolCredentials value to True

  1. Open an elevated command prompt window. To open an elevated Command Prompt window, click Start , point to All Programs , click Accessories , right-click Command Prompt , and then click Run as administrator .

  2. Navigate to %windir%\system32\inetsrv.

  3. Type appcmd.exe set config -section:system.webServer/security/authentication/windowsAuthentication -useAppPoolCredentials:true .

ImportantImportant
To perform the following procedure successfully, the AD RMS service account must be in the same forest as the AD RMS cluster. Also, if you change the AD RMS service account, you must delete the SPN registrations for the previous service account and then perform this procedure for the new service account.

Set the Service Principal Names (SPN) value for the AD RMS service account

  1. Open an elevated command prompt window. To open an elevated Command Prompt window, click Start , point to All Programs , click Accessories , right-click Command Prompt , and then click Run as administrator .

  2. Type setspn -a HTTP/<ServerName> <ServiceAccountDomain>\<ServiceAccount> , where <ServerName> is the name of the server, <ServiceAccountDomain> is the name of the domain containing the AD RMS service account, and <ServiceAccount> is the name of the AD RMS service account.

  3. Type setspn -a HTTP/<ServerFQDN> <ServiceAccountDomain>\<ServiceAccount> , where <ServerFQDN> is the fully qualified domain name (FQDN) of the server.

  4. Type setspn -a HTTP/<ClusterName> <ServiceAccountDomain>\<ServiceAccount> , where <ClusterName> is the name of the AD RMS cluster.

  5. Type setspn -a HTTP/<ClusterFQDN> <ServiceAccountDomain>\<ServiceAccount> , where <ClusterFQDN> is the fully qualified domain name (FQDN) of the cluster.

noteNote
If the cluster is using Secure Sockets Layer (SSL), repeat steps 2 through 5, substituting HTTPS for HTTP.

Additional reference

Vurderte du dette som nyttig?
(1500 tegn igjen)
Takk for tilbakemeldingen

Fellesskapsinnhold

Legg til
Vis:
© 2014 Microsoft