In Administrative Tools on your Windows server, click Active Directory users and computers.
Select to create a new user.
Specify the following details:
|
Field |
Description |
|---|---|
|
First name |
Specify the hostname of Identity Server. This is the username. For the example configuration, this is amser. Verify the hostname by running the hostname command on Identity Server. |
|
User logon name |
Specify HTTP/<Identity_Server_Base_URL>. For example, if base URL of Identity Server is amser.nam.example.com, specify the following: HTTP/amser.nam.example.com The realm is displayed next to the User logon name. |
|
User logon name (pre Windows 2000) |
Specify the hostname of Identity Server. The default value must be modified. For example, amser. (Complete this step regardless of the Windows version you are using.) |
Click Next, configure the password, and perform the following actions:
|
Field |
Description |
|---|---|
|
User must change password at next logon |
Deselect this option. |
|
Password never expires |
Select this option. |
Click Next > Finish.
This creates an Identity Server user. You need to remember the values you assigned to this user for First name and User logon name.
Set the servicePrincipalName (spn) attribute for this user. Open the command prompt or PowerShell and run the following command as an administrator:
setspn -A HTTP/<userLogonName> <userName>
IMPORTANT:This command is case-sensitive.
For this configuration example, run the following command:
setspn -A HTTP/amser.nam.example.com@AD.EXAMPLE.COM amser
This adds the servicePrincipalName attribute to the user specified with the value specified in the -A parameter.
NOTE:For Domain Services for Windows, set HOST spn also by using this command: setspn -A HOST/<userLogonName> <userName>
(Optional) Verify that the user has the required servicePrincipalName attribute with a valid value. Enter the following command:
setspn -L <userName>
For this configuration example, enter the following command:
setspn -L amser