First published: 2018 (cf)
Last update: 07 December 2022 (cf)
This is an overview of the Windows Active Directory features Service Principal Name and Trusted for Delegation to clarify the background and difference of this features, and their need in a Fabasoft Folio environment.
A Service Principal Name (SPN) in a Windows Active Directory environment assigns the right to host a service class (for example HTTP) on a defined hostname in the network. Service Principal Names are required for successful Kerberos authentication.
Defining an SPN for the Fabasoft Folio Web service user means that the Web service user gets permission from Active Directory to host a web service under the assigned hostname.
The Folio Web service, in our example running under the AD user mydomain\folioweb, requests Kerberos verification for the user at the AD domain controller. If no SPN is set, AD will deny the authentication request, because the Web service user folioweb itself has no permission to host a web service on the server (hostname) folio.mydomain.com.
To permit hosting the web service, an SPN has to be set for the user folioweb, with hostname folio.mydomain.com.
Find detailed information about setting SPNs in the KB articles
The Trusted for Delegation right on a user account in Active Directory enables that service user to act as any user that has authenticated against the service.
You have set Trusted for Delegation on the Fabasoft Folio Web service user mydomain\folioweb (this is not recommended!).
If a user mydomain\huber uploads a file to the Fabasoft Folio Webclient, the Fabasoft Folio webservice can use the user’s context to temporarily save the file in the DOCDIR directory, before it is uploaded to the Backend servers. This file is created as owner mydomain\huber. If Mister Huber has no permissions to create a file in the DOCDIR directory, the Fabasoft Folio Web service will fail.
Without Trusted for Delegation the file will be stored in the context of the Folio Web service user mydomain\folioweb. Only that user needs permission to the DOCDIR directory.