Out of support This documentation supports the 8.1 version of BMC Atrium Single Sign-On, which is in "End of Version Support." However, the documentation is available for your convenience. You will not be able to leave comments.Click here to view the documentation for a supported version of Remedy Single Sign-On.

Mapping the Kerberos service name

The setspn.exe utility allows manipulation of SPNs within Active Directory. Multiple SPNs might need to be mapped to the BMC Atrium SSO identity, depending upon the network configuration and whether running in High Availability (HA) mode behind a load balancer. See the Microsoft documentation for more information.

To add a new SPN for mapping

  1. Map additional service principal names (SPNs) to the Kerberos identity using setspn.exe.

     

    setspn.exe -S <serviceclass>/<host>[:<port>] <account name>

     

    In this example, the following definitions apply:

    • <serviceclass> for BMC Atrium SSO SPN, always uses HTTP.
    • <host> is the FQDN of the host on which the BMC Atrium SSO server is running.
    • <port> is the port that BMC Atrium SSO is using.

    • <account name> is the name of the user identity for the BMC Atrium SSO service.

       

      Example
      setspn.exe -S HTTP /sample-host.bmc.com atriumssoservice

       

      The setspn.exe utility allows manipulation of SPNs within Active Directory. Multiple SPNs might need to be mapped to the BMC Atrium SSO identity, depending upon the network configuration and whether the server is running in High Availability (HA) mode behind a load balancer. See the Microsoft documentation (Setspn) for more information.

  2. To check for duplicate SPNs, use the following command syntax:

     

    setspn.exe -X

     

    This command uses a large amount of memory to scan a large Active Directory database.

  3. Copy the generated keytab file to the BMC Atrium Single Sign-On server host.

setspn.exe command example

The following example maps the "HTTP/sample-host.bmc.com"  SPN to the user identity atriumsso. An additional SPN should also be mapped using just the host name. In other words, the following SPNs should also be run with the setspn command:

 

C:\>setspn.exe -S HTTP/sample-host atriumsso

 

 

warning

Note
In HA mode behind a load balancer, the name of the load balancer must be used instead of the BMC Atrium Single Sign-On server.

 

A delay occurs in Active Directory when changes to identities are made. When the mapping SPNs are altered, pushing the mappings out to the affected systems can take about 15 minutes. This delay means that it will take some time after the identity SPNs are updated before a login test can be performed.

 

Tip: For faster searching, add an asterisk to the end of your partial query. Example: cert*