CA API Gateway 9.1

9.4 9.1

Set Up Service Account for Target Service

When configuring your to work with Kerberos token-based authentication, the first step is to set up a service account for the target service (on the IIS Web Site). This involves:
gateway83
When configuring your
API Gateway
 to work with Kerberos token-based authentication, the first step is to set up a service account for the target service (on the IIS Web Site). This involves:
Step 1: Set Up Service Account in Active Directory
Log in to the domain controller and create a user account to run the service (IIS Web Site) under this identity. For example, "sp_services".
Step 2: Assign Service Principal Names to Service Account
  1. Log in to the domain controller or to some other server that is joined to the domain. Ensure that the Windows Resources Tool Kit is installed.
  2. Open a command prompt (run as Administrator if necessary).
  3. Run the following command to assign an SPN (Service Principal Name) to the service account (created in Step 1: Set Up Service Account in Active Directory).
    setspn -A HTTP/
    <Gateway_host>
    <SPN>
    \
    <User_account>
    Where:
    • <Gateway_host>
       is the
      API Gateway
       host name
    • <SPN>
       is the Service Principal Name
    • <User_account>
       is the user account that is created in Step 1: Set Up Service Account in Active Directory.
    Example:
    setspn -A HTTP/mysite.kworld.mycompany.com mycompany\sp_services
  4. Verify the SPN with this command:
    setspn -L 
    <SPN>
    \
    <User_account>
    Example:
    setspn -L mycompany\sp_services
Step 3: Configure Target Service to the Service Account
  1. Log in to the web server and open the IIS Manager.
  2. Locate the IIS App Pool under which the target service is running.
  3. Configure the IIS App Pool identity to run under the service account that was created in Step 1: Set Up Service Account in Active Directory. This allows Windows Integrated Authentication.

Content feedback and comments