Using multiple Service Principal Names (SPNs) with Proxy authentication enhances security, flexibility, and scalability in complex environments. It ensures that Proxy service can handle authentication with different services across multiple domains while providing seamless Single Sign-On (SSO) and ensuring compliance with security policies.
This feature is available with Artica 4.50 Service Pack 1 or Artica v4.50 Hotfix 20241222-14
By default when you join an Artica server to Active Directory by kerberos, it will create a kerberos account with only one Service Principal Name (SPN) based on the Artica server hostname, example:
Account: PROXY01$@DOMAIN.TLD
SPN: HTTP/proxy01.domain.tls@DOMAIN.TLD
But, is some cases, like VIP interface, you may need to create multiple SPN's to share across all the server in the VIP interface.
.png)
¶ Add multiple SPN's
- In Active Directory menu select Kerberos Authentication
- In Additional SPN's field, add all the
Additional Service Principal Names, each SPN must be separated by comma.
¶ Verify the Kerberos ticket
To verify if the Kerberos ticket was correctly configured with the additional Service Principal Names
- In Active Directory menu select Status
- On Status page click Analyze
- On info popup you should see all the SPN's inside the ticket
¶ Troubleshooting
- Users get authentication popup when using the SPN hostname inside Proxy Settings.
- Sometimes the new SPN is not replicated on the fly across the Active Directory, try logoff the user account and logon again.
- If the solution above not work, verify if the SPN was correctly created, open command line and execute
setspn -L <PROXY_SERVER_HOSTNAME>
Example:
C:\Users\Administrator>setspn -L proxy01
Registered ServicePrincipalNames for CN=PROXY01,CN=Computers,DC=articatech,DC=lab:
HTTP/proxy-vip.articatech.lab
HTTP/
HTTP/proxy01.articatech.lab
HOST/proxy01.articatech.lab
HOST/PROXY01
- If you can't see the SPN inside the list, create one manually.
Setspn -s http/<computer-name>.<domain-name> <domain-user-computer-account>
Example:
C:\Users\Administrator>Setspn -s http/proxy2-vip.articatech.lab proxy01
Checking domain DC=articatech,DC=lab
Registering ServicePrincipalNames for CN=PROXY01,CN=Computers,DC=articatech,DC=lab
http/proxy2-vip.articatech.lab
Updated object
Veriry again if the SPN exist
C:\Users\Administrator>setspn -L proxy01
Registered ServicePrincipalNames for CN=PROXY01,CN=Computers,DC=articatech,DC=lab:
http/proxy2-vip.articatech.lab
HTTP/proxy-vip.articatech.lab
HTTP/
HTTP/proxy01.articatech.lab
HOST/proxy01.articatech.lab
HOST/PROXY01