Configuration requirements for delegation support

Network resource access and password caching on the host, as described under Web Edition Connection Manager, require Windows delegation. The configuration requirements for delegation support are as follows:

  • Delegation requires the Kerberos authentication protocol and an Active Directory domain, both of which were introduced with Windows 2000. Host-side password caching and accessing shared folders using integrated Windows authentication are not supported from Windows NT 4.0 or Windows 98 client computers.
  • The Domain Name System (DNS) servers must support Service Location (SRV) resource records. It is also recommended that DNS servers provide support for DNS dynamic updates. Without the DNS dynamic update protocol, administrators must manually configure the records created by domain controllers and stored by DNS servers. The DNS service provided with Windows 2000 or later supports both of these requirements.
  • The computers hosting the FH Web Edition client, the FH Web Edition server, and any backend services, such as email or a database, must support Kerberos. Kerberos is supported by systems running Windows 2000 or later in a Windows 2000 or later Active Directory domain. FH Web Edition server is only supported on Windows 7 or later.

  • The client's user account must support being delegated by the FH Web Edition Application Publishing Service.

    1. In the Active Directory Users and Computers Management Console, select the user and choose Action → Properties.
    2. Click the Account tab.
    3. Under Account options, scroll down and verify that Account is sensitive and cannot be delegated is cleared.

    4. Enable Account is trusted for delegation.

  • The FH Web Edition server must have the right to delegate the user’s account to other computers.

    1. In the Active Directory Users and Computers Management Console, select the computer.
    2. Choose Action → Properties.

    3. Enable Trust computer for delegation.

      The FH Web Edition Application Publishing Service must be configured to run in the local system account for these delegation rights to apply.

      Note: After enabling Trust Computer for delegation in the Active Directory, the FH Web Edition server must be restarted in order for delegation to take effect.

  • The FH Web Edition Application Publishing Service must be able to register its Service Principle Name (SPN) with Active Directory. It attempts to do this every time the service is restarted. The setspn.exe utility (available in the Microsoft Resource Kit and as a separate download from Microsoft) can be used to verify the SPN is properly set. The following command window shows output obtained from setspn.exe when run on the FH Web Edition server.

  • Replace adlab-ggserver with the computer name of your FH Web Edition server. The {54094C05-F977-4987-BFC9-E8B90E088973} Globally Unique Identifier (GUID) is specifically used by the FH Web Edition Application Publishing Service to create the {54094C05-F977-4987-BFC9-E8B90E088973}/adlab-ggserver.adlab.www.firehousesoftware.com SPN.

    The following command window shows output obtained by running setspn.exe on the FH Web Edition server, and indicates a network configuration error. If all the above requirements are met, this should not occur.