Configure the Service Principal Name
To add a service principal name (spn) to the service account under which your Keyfactor SCEP server runs to support Kerberos authentication:
- On a server that has the setspn command available (typically it is available on domain controllers, as it installs as part of the Active Directory Domain Services role), open a command prompt using the “Run as administrator” option.
- Run the following command (where scepserver.keyexample.com is the fully qualified domain name of your Keyfactor SCEP server or the DNS alias you are using to reference your Keyfactor SCEP server, if applicable, and KEYEXAMPLE\svc_scep is the domain name and service account name of the service account under which the Keyfactor SCEP application pool is running):
setspn –s HTTP/scepserver.keyexample.com KEYEXAMPLE\svc_scep
Important: If you are running the Keyfactor SCEP server on the Keyfactor Command server, wish to configure Kerberos authentication for both, and have chosen to run the two application pools with different service accounts, you will need to use a DNS alias to reference one or the other of these applications (or both) so that you can set the SPNs separately for the different service accounts. Setting the same SPN (e.g. HTTP/keyfactorserver.keyexample.com) on two different service accounts (e.g. KEYEXAMPLE\svc_keyfactorpool and KEYEXAMPLE\svc_scep) is not supported.
Was this page helpful? Provide Feedback