Mapping the Kerberos service name

The setspn utility allows manipulation of SPNs within Active Directory. Multiple SPNs might need to be mapped to the BMC Atrium SSO identity, depending upon the network configuration and whether running in High Availability (HA) mode behind a load balancer. See the Microsoft documentation for more information.

Get a list of mapped SPNs

You may use the following command to get a list of mapped SPNs registered to a target account.

To add a new SPN for mapping

1. Map additional service principal names (SPNs) to the Kerberos identity using setspn.

   <directoryname>:setspn -S <serviceclass>/<host>[:<port>] <account name>

   In this example, the following definitions apply:

   • <serviceclass> for BMC Atrium Single Sign-On SPN, always uses HTTP.
   • <host> is the FQDN of the host on which the BMC Atrium Single Sign-On server is running.
   • <port> is the port that BMC Atrium Sign-On is using.

   • <account name> is the name of the user identity for the BMC Atrium Single Sign-On service.
     
     

     Information

     Example

     <directoryname>:setspn -S HTTP/sample-host.bmc.com atriumssoservice
     

2. To check for duplicate SPNs, use the following command syntax:

   <directoryname>:setspn -X

   This command uses a large amount of memory to scan a large Active Directory database.

3. Copy the generated keytab file to the BMC Atrium Single Sign-On server host.

setspn command example

The following example maps the "HTTP/sample-host.bmc.com"  SPN to the user identity atriumsso. An additional SPN should also be mapped using just the host name. In other words, the following SPNs should also be run with the setspn command:

A delay occurs in Active Directory when changes to identities are made. When the mapping SPNs are altered, pushing the mappings out to the affected systems can take about 15 minutes. This delay means that it will take some time after the identity SPNs are updated before a login test can be performed.