If you've opted to run the gateway service as an Active Directory service account, you will need to configure a specific service principal name (SPN) for this purpose as outlined below. In addition, if you wish to use the features in Keyfactor Command (e.g. enrollment
Certificate enrollment refers to the process by which a user requests a digital certificate. The user must submit the request to a certificate authority (CA)., revocation) that rely on Kerberos delegation to allow the requests to be made in the context of the user initiating the request rather than a service account, you will need to follow the below instructions for configuring Kerberos delegation rather than following the standard delegation instructions found in the Keyfactor Command Installation and Configuration Guide.
Configure the Service Principal Name for the Gateway Service in the Gateway Configuration
To add a custom SPN to the gateway configuration:
- On the AnyCAGateway DCOM machine, open a text editor (e.g. Notepad) using the “Run as administrator” option.
-
In the text editor, browse to open the CAProxyServer.exe.config file in the directory in which you installed the AnyCAGateway DCOM. By default, this is the following directory:
C:\Program Files\Keyfactor\Keyfactor AnyGateway\ -
In the CAProxyServer.exe.config file, locate the appSettings section near the top and add the following line at the end of the configuration settings within the section, where KFGW is a unique service name in your environment and mygateway.keyexample.com is the fully qualified domain name of your AnyCAGateway DCOM server or the DNS
The Domain Name System is a service that translates names into IP addresses. alias you are using to reference your AnyCAGateway DCOM server, if applicable:<add key="ServicePrincipalName" value="KFGW/mygateway.keyexample.com" />
Figure 596: Add a ServicePrincipalName Entry to the CAProxyServer Configuration File
Configure the Service Principal Name for the Gateway Service in Active Directory
On a server that has the setspn command available (typically it is available on domain controllers, as it installs as part of the Active Directory Domain Services role), open a command prompt using the “Run as administrator” option and run the following command, where KFGW is the name of the gateway service as defined in the previous step, mygateway.keyexample.com is the fully qualified domain name of your gateway server or the DNS alias you are using to reference your gateway server, if applicable, and KEYEXAMPLE\svc_kyfgateway is the domain name and service account name of the service account under which the gateway service is running: