Configure the Service Principal Name

To add a service principal name (spn) to the service account under which your Keyfactor SCEP server runs to support Kerberos authentication:

On a server that has the setspn command available (typically it is available on domain controllers, as it installs as part of the Active Directory Domain Services role), open a command prompt using the Run as administrator option.
Run the following command (where scepserver.keyexample.com is the fully qualified domain name of your Keyfactor SCEP server or the DNS alias you are using to reference your Keyfactor SCEP server, if applicable, and KEYEXAMPLE\svc_scep is the domain name and service account name of the service account under which the Keyfactor SCEP application pool is running):
setspn –s HTTP/scepserver.keyexample.com KEYEXAMPLE\svc_scep

Important: If Keyfactor Command and the Keyfactor SCEP server are installed on the same IIS server, and:

You want to use Kerberos authentication, and
The two application pools run under different service accounts,

then you must use separate DNS hostnames (aliases) for each application.

Each hostname must have its own unique SPN registered to the corresponding service account.

Kerberos does not support registering the same SPN (e.g., HTTP/keyfactorserver.keyexample.com) to multiple service accounts (e.g., KEYEXAMPLE\svc_keyfactorpool and KEYEXAMPLE\svc_scep). Attempting to do so will result in authentication failures.

Was this page helpful? Provide Feedback

On this page: