12.1. Service Principal Name

The first change to your Active Directory® configuration is the addition of a Service Principal Name (SPN) to the computer object of the computer where the IDERI note service is installed. Using Kerberos as the authentication protocol of choice can only be achieved by adding an SPN. Note that Kerberos should always be preferred over NTLM, because NTLM only allows authentication of clients to servers, but no mutual authentication of clients and servers like Kerberos does. The addition of the SPN to your AD environment manifests itself as an addition to the servicePrincipalName attribute of the computer object, like in figure 12.1 , that shows the SPN as in our tutorial environment from section 4.

SPN additions to the computer object in AD

Figure 12.1: SPN additions to the computer object in AD

The servicePrincipalName attribute will get two new strings, namely INoteSvcSpn/<computername> with <computername> being the NetBios name and the DNS name of the computer. Both SPNs will be removed should you decide to uninstall the IDERI note service from this computer.

In case you enforce the use of Kerberos on Clients using the “KerberosOnly” registry value (see section 10.1) and clients refuse to connect to their server, then you should check that this SPN exists. In case it doesn’t exist, you can recreate it using the inotesvc.exe command line parameter -regspn (see section 9.2).