6.6.2. Set Service Principals

The Service Principal Names (SPN) are alias accounts associated with recorder’s active directory user account. They allow for kerberos authentication of the web service (HTTP) and database (POSTGRES).

The SPNs can be set from the Active Directory Users & Computers GUI, by enabling the Advanced Features view and navigating to the user’s Attributes tab. However, this method is more complicated and it is recommended to set the SPNs from PowerShell.

Open an elevated PowerShell and execute the script below. Replace the two variables with the values for your environment.

This command is case-sensitive. The below script will change the FQDN to lowercase, and the Kerberos Realm to uppercase.

PowerShell 
# Replace these variables
$recorderUser = "NLRecorder"
$fullDomain = "contoso.net"

# DO NOT edit these variables
$recorderFQDN = "$($recorderUser.ToLower()).$($fullDomain.ToLower())"
$kerberosRealm = "$($fullDomain.ToUpper())"

Set-ADUser -Identity $recorderUser -PassThru -ServicePrincipalNames @{Add=`
         "HTTP/$recorderFQDN@$kerberosRealm",
         "POSTGRES/$recorderFQDN@$kerberosRealm"} `
         -TrustedForDelegation $true

For NexLog Access Bridge to work with Active Directory authentication, you must also enable Delegation. This can be done by navigating to the Delegation tab, then enabling Trust this user for delegation to any service (Kerberos only).

AD Users and Computer - Delegation

Fig. 6.4 AD Users and Computer - Delegation

Warning

Consistency Checks

Running consistency checks on Microsoft Active Directory will affect the recorder’s service account name which includes a forward slash (/). Microsoft tools such as LDIF, or LdFix may want to normalize the names by removing the forward slash, resulting in a domain authentication failure when using the web configuration page or client software. Always ignore it if a consistency check suggests modifying the service accounts configured for the recorder.