Last update: 11 January 2021 (cf)
If you connect to the URL of your Fabasoft Folio webserver from a remote client, you might get login prompts and "401.2 Access denied" messages. This is usually caused by a missing SPN for the webservice user.
This article describes how to set a SPN for your webservice user.
To fix this behaviour, you have to set SPNs for your webservice user.
Creating Service Principal Names (SPN) under Windows
List current SPNs for a given user:
setspn.exe -l domain\user
This will display all SPN for the given user. In a Fabasoft Folio environment the user is that user that runs the Fabasoft Folio webservice. A user can have multiple SPNs set to host multiple webservers or hostnames.
Add a new SPN for a webserver:
setspn.exe -a http/hostname.domain.com domain\user
setspn.exe -a http/hostname domain\user
and are the hostname and the full qualified hostname of the server. is the user that runs your Fabasoft Folio webservice.
We recommend to always set the SPN for the (short) hostname and the (long) full qualified domain name. To access the web interface of the conversion servers, SPNs need to be set too.
Note: If you use a load balancer in your environment, it is nesessary to also set a SPN for the URL of your load balancer.
If you are not able/allowed to set the SPNs in Active Directory, there are two workarounds:
Note: Fabasoft recommends not to use these workarounds, if the SPNs can be set. Use these workarounds only temporarily.
In a Microsoft Windows environment, the Fabasoft Folio Web services run with a specified domain user (webservice user). In Active Directory, the web service user needs to have permissions to run a service (in this case http) in the domain. This permission is set by the SPN. Also, other applications need to have set SPN, for example Microsoft SQL Server.
If the SPN is not set and the webserver requests the clearence of the user login at the AD controller, the AD controller deny the clearence request because the webservice user is not allowed to run a webservice (SPN missing). Hence the failed clearence, the user gets an access denied error message.