Trusted for delegation and Service Principal NamesPermanent link for this heading

First published: 2018 (cf)
Last update: 07 December 2022 (cf)

This is an overview of the Windows Active Directory features Service Principal Name and Trusted for Delegation to clarify the background and difference of this features, and their need in a Fabasoft Folio environment.

Service Principal NamePermanent link for this heading

A Service Principal Name (SPN) in a Windows Active Directory environment assigns the right to host a service class (for example HTTP) on a defined hostname in the network. Service Principal Names are required for successful Kerberos authentication.

Defining an SPN for the Fabasoft Folio Web service user means that the Web service user gets permission from Active Directory to host a web service under the assigned hostname.

For example:

A user tries to access the Fabasoft Folio Web service under http://folio.mydomain.com/fsc.

The Folio Web service, in our example running under the AD user mydomain\folioweb, requests Kerberos verification for the user at the AD domain controller. If no SPN is set, AD will deny the authentication request, because the Web service user folioweb itself has no permission to host a web service on the server (hostname) folio.mydomain.com.

To permit hosting the web service, an SPN has to be set for the user folioweb, with hostname folio.mydomain.com.

Find detailed information about setting SPNs in the KB articles

Summary:

  • Set a Service Principal Name to the service user for every hostname users should access.
  • This is at least necessary for the hostname of the Load Balancer users should access, or (if no Load Balancer is in use) for the hostnames of the web server users should directly access
  • To access the Mindbreeze Client Webservice, also SPNs are required.
  • For easier administration, we recommend to set SPNs for every webservice and conversion service, both hostnames only and Full Qualified Host Name (FQDN).
  • It is not allowed to set the same hostname for different users. Active Directory (Kerberos) will block all authentication requests to these hostnames.

Trusted for delegationPermanent link for this heading

The Trusted for Delegation right on a user account in Active Directory enables that service user to act as any user that has authenticated against the service.

For example:

You have set Trusted for Delegation on the Fabasoft Folio Web service user mydomain\folioweb (this is not recommended!).

If a user mydomain\huber uploads a file to the Fabasoft Folio Webclient, the Fabasoft Folio webservice can use the user’s context to temporarily save the file in the DOCDIR directory, before it is uploaded to the Backend servers. This file is created as owner mydomain\huber. If Mister Huber has no permissions to create a file in the DOCDIR directory, the Fabasoft Folio Web service will fail.

Without Trusted for Delegation the file will be stored in the context of the Folio Web service user mydomain\folioweb. Only that user needs permission to the DOCDIR directory.

Summary:

  • Fabasoft Folio Web services do not need Trusted for Delegation permission.
  • Optionally (and normally not used at our customers), it is possible to use Kerberos authentication between Folio Web services and Folio Conversion services - in that case, Trusted for Delegation needs to be set at the Conversion service user. Without this permission, Basic Authentication is used between Web and Conversion services. See the Folio Installation White Paper for details of enabling Kerberos authentication.
  • For a Mindbreeze Client Web service, Trust for Delegation is required and set during the Mindbreeze Setup. See the Mindbreeze Installation White Paper for details.

Download PDF

Download PDF