Trusted for delegation and Service Principal Names

Last update: 4 August 2017

Trusted for delegation and Service Principal Names

This is an overview of the Windows Active Directory features Service Principal Name and Trusted for Delegation to clearify the background and difference of this features, and their need in a Fabasoft Folio environment.

Service Principal Name

A Service Principal Name (SPN) in a Windows Active Directory environment assigns the right to host a service class (for example HTTP) on a defined hostname in the network. Service Principal Names are required for successful Kerberos authentication.

Defining a SPN for the Fabasoft Folio Webservice user means that the Webservice user gets permission from Active Directory to host a webservice under the assigned hostname.

For example:

A user tries to access the Fabasoft Folio Webservice unter http://folio.mydomain.com/fsc. 

The Folio Webservice, in our example running under the AD user mydomain\folioweb, requests Kerberos verification for the user at the AD domain controller. If no SPN is set, AD will deny the authentication request, because the Webservice user folioweb itself has no permission to host a webservice on the server (hostname) folio.mydomain.com.

To permit hosting the webservice, a SPN has to be set at the user folioweb, with hostname folio.mydomain.com.

Find detailed information about setting SPNs in the KB article

Set SPN to use Kerberos authentication

Summary:

  • Set a Service Principal Name to the service user for every hostname users should access.
  • This is at least necessary for the hostname of the Load Balancer users should access, or (if no Load Balancer is in use) for the hostnames of the webservers users should directly access
  • To access the Mindbreeze Client Webservice, also SPNs are required.
  • For easier administration, we recommend to set SPNs for every webservice and conversion service, both hostname only and Full Qualified Host Name.
  • It is not allowed to set the same hostname for different users. Active Directory (Kerberos) will block all authentication requests to these hostnames.

Trusted for delegation

The Trusted for Delegation right on a user in Actice Directory enables that service user to act as user that has authenticated against the service.

For example:

You have set Trusted for Delegation on the Fabasoft Folio Webservice user mydomain\folioweb (this is not recommended!).

If a user mydomain\huber uploads a file to the Fabasoft Folio Webclient, the Fabasoft Folio webservice can use the users credentials to temporarily save the file in the DOCDIR directory, before it is uploaded to the Backend servers. This file is created as owner mydomain\huber. If Mister Huber has no permissions to create a file in the DOCDIR directory, the Fabasoft Folio Webservice will fail.

Without Trusted for Delegation the file will be stored in the context of the Folio Webservice user mydomain\folioweb. Only that user needs permission to the DOCDIR directory.

Summary:

  • Fabasoft Folio Webservices do not need Trusted for Delegation permission.
  • Optionally (and normally not used at our customers), it is possible to use Kerberos authentication between Folio Webservices and Folio Conversionservices - in that case, Trusted for delegation needs to be set at the Conversionservice user. Without this permission, Basic Authentication is used between Web- and Conversionservices. S ee the Folio Installation White Paper for details of enabling Kerberos authentication.
  • For a Mindbreeze Client Webservice, Trust for Delegation is required and set during the Mindbreeze Setup. See the Mindbreeze Installation White Paper for details.

Further questions?