Skip to content

Configuring Kerberos

Kerberos requires configuration in Windows (KDC and Active Directory), the MSS Administrative Console, and your browser.

Configure KDC and Active Directory

To configure Windows Authentication - Kerberos support, certain steps must first be done on the KDC: create a service account, assign an SPN, and create a keytab.

Create a Service Account for your MSS deployment

  1. Open Active Directory Users and Computers by clicking Start | Administrative Tools | Active Directory Users and Computers.

  2. Select the Active Directory domain in the menu on the left.

  3. Select the New User action to display the New User wizard.

  4. In the Full name field, type the name of your MSS deployment service account (such as my-mss-deployment).

  5. In the User logon name field, type the name of your MSS deployment used in step 4.

  6. Click Next.

  7. Assign a password to this service account. Be sure to take note of this password because it will be needed later.

  8. Uncheck User must change password at next logon.

  9. Check Password never expires.

  10. Click Next.

  11. Click Finish.

Assign an SPN for the MSS server to the Service Account

  1. Open a command prompt with Administrator rights.

  2. To verify no duplicate SPN entries exist, type the command setspn -X.

  3. Type the command

    setspn -A HTTP/<fully-qualified-name-of-mss-server> <service-account-name>

    Example: setspn -A HTTP/ my-mss-deployment

  4. To verify the SPN was successfully added, type the command

    setspn -L <service-account-name>

For further help on the spn command, use the setspn /help command.

Create a Keytab for the Service Account to be used by MSS

  1. Open a command prompt with Administrator rights.

  2. Type the command:

    ktpass -princ HTTP/<fully-qualified-name-of-mss-server>@<active-directory-domain> -mapuser <service-account-name> -pass <service-account-password> -ptype KRB5_NT_PRINCIPAL -crypto ALL -out <service-account-name>.keytab


    ktpass -princ HTTP/ -mapuser my-mss-deployment@MYDOMAIN.COM -pass password -ptype KRB5_NT_PRINCIPAL -crypto ALL -out my-mss-deployment.keytab

  3. Make sure the keytab file that is created is available when configuring Windows Authentication - Kerberos in the MSS Administrative Console.


  • The keytab file contains sensitive data, so be sure to protect it accordingly.
  • You can use any name for the keytab file.
  • If setting up a cluster of MSS servers, this keytab file with a single SPN is all that is needed.

    See Configuring Kerberos for Clustered Servers for further details.

Settings in the MSS Administrative Console

After enabling Kerberos and configuring the KDC and Active Directory to generate the keytab file, you must configure Kerberos in the MSS Administrative Console. Follow these steps:

  1. Navigate to Configure Settings - Authentication & Authorization and click Windows Authentication - Kerberos.

  2. Select the desired Authorization method.

  3. In the Kerberos Configuration section, enter the following:

    a. Realm - The name of your realm or domain name. For example, MYCOMPANY.COM.

    b. Service Principal Name (SPN) - The SPN created for your MSS instance. Enter the SPN using the indicated format: HTTP/<fully-qualified-domain-name>@<REALM-NAME>.

    c. Key Distribution Center (KDC) - Specify the KDC or domain controller host name.

    d. Port - Enter the KDC port if different from the default of 88.

    e. Click IMPORT to upload the keytab file generated on the KDC. This file must be available on the system used to access the MSS Administrative Console.

    f. Click TEST CONNECTION to test that the KDC can be accessed.

  4. In the LDAP Servers section, click ADD to configure the Active Directory used by the KDC.

    (See LDAP Configuration for further details).

  5. Click Apply.


  • The SPN must be the SPN used when configuring the KDC.
  • The SPN must be in the keytab file that is uploaded.
  • You must configure an LDAP server with Windows Active Directory as the Server type.

    Active Directory is the only supported LDAP Server type for Windows Authentication - Kerberos.

Configure your browser for Kerberos

In order to sign in using Kerberos, your browser must be configured correctly for Windows Authentication via Kerberos and your machine must be a member of the proper domain (Kerberos realm).

Consult the help for your specific browser for instructions on how to enable Kerberos.

Verify your Kerberos configuration

Now that your single MSS server is configured for Windows Authentication - Kerberos, it is a good idea to verify that the configuration is working correctly.

Steps to verify:

  1. Use a client system that is a member of the Active Directory domain.

  2. Log onto the client system using the credentials of a user that is a member of the Active Directory.

  3. Be sure to Configure your browser for Kerberos.

  4. Once configured for Kerberos, use that browser to access the url:


  5. To verify your Kerberos configuration:

    When configured correctly, you should see that the user logged into the client machine is logged into the web application without being prompted for any credentials.

    When not configured correctly, you may see a prompt for credentials indicating that LDAP fallback has occurred, or you may encounter an error message. If this happens, see Troubleshooting Kerberos Configuration for assistance.


When using Kerberos authentication for Reflection Desktop clients, the browser on the client system needs to be configured. See Configure your browser for Kerberos.