CA API Gateway 9.1

9.4 9.1

Set Up a Service Account for the Gateway

When setting up the for Kerberos token-based authentication, you first created a service user account in the Active Directory. The next step is to set up a service account for the Gateway. This procedure involves:
gateway83
When setting up the
API Gateway
 for Kerberos token-based authentication, you first created a service user account in the Active Directory. The next step is to set up a service account for the Gateway. This procedure involves:
Step 1: Set Up Service Account in Active Directory
  1. Log in to the domain controller and create a user account that is used to create a keytab file for the Gateway. For example: "sp_keytab".
  2. Open the Properties for the user account just created.
  3. In the
    Delegation
     tab, select these options:
    • Trust this user for delegation to specified services only
    • Use any authentication protocol
    These settings allow different authentication protocols on the front-end, and Kerberos Delegation on the back end for Windows Integrate Security.
  4. Populate the table under "Services to which this account can present delegated credentials" as follows:
    1. Click
      Add...
       to open the Add Services dialog.
    2. Click
      Users or Computers
      .
    3. Enter the service user account name that was created in Set Up Service Account for Target Service (example: "sp_services"). Click
      Check Names
       to verify.
    4. Click
      OK
       to return to the Add Services dialog box.
  5. Select the appropriate Service Principal Name (SPN) from the available services list, and then click
    OK
     to return to the Properties dialog.
  6. Select the
    Expanded
     check box. This displays all the related SPNs.
  7. Click
    OK
     to close the Properties.
Step 2: Assign Service Principal Names to Gateway Service Account
  1. Log in to the domain controller or to some other server that is joined to the domain. Ensure that the Windows Resources Tool Kit is installed.
  2. Open a command prompt (run as Administrator if necessary).
  3. Run the following command to assign an SPN (Service Principal Name) to the service account (created in Step 1: Set Up Service Account in Active Directory).
    setspn -A HTTP/
    <Gateway_host>
    <SPN>
    \
    <User_account>
    Where:
    • <Gateway_host>
       is the
      API Gateway
       host name
    • <SPN>
       is the Service Principal Name
    • <User_account>
       is the user account that is created in Step 1: Set Up Service Account in Active Directory.
    Example:
    setspn -A HTTP/mysite.kworld.mycompany.com mycompany\sp_keytab

Content feedback and comments