Configuring Integrated Windows Authentication

1. On the Active Directory Domain Controller server, click Start > All Programs > Administrative Tools > Active Directory Users and Computers.
2. Right-click the domain entry in the treeview where you want to create the new SPN account and select New > User.
3. Enter the requested information and click Next.
4. Configure the user password and click Next:
   1. Enter the account password.
   2. Deselect User must change password at next logon.
   3. Select Password never expires.
5. Click Finish.

1. On the Active Directory Domain Controller server, open a command prompt and change directories to the directory where ktpass.exe is located.

   The default location is c:\Program Files\Support Tools.

2. To map the authentication service to the SPN account, enter the following keypass command:

   ktpass /out filename /princ name /pass password /mapuser local_username /ptype principal_type /crypto encryption_type

For ktpass syntax, see Microsoft Ktpass reference.

ktpass /out 'C:\ax.keytab' /princ HTTP/axserver.ax.com@AX.COM /pass pass1234 /mapuser AXSSO /ptype KRB5_NT_PRINCIPAL /crypto RC4-HMAC-NT

1. On the Active Directory Domain Controller server, open a command prompt and change directories to the directory where setspn.exe is located.

   The default location is c:\Program Files\Support Tools.

2. To register the SPN, enter the following setspn command:

   setspn -A ACLSE/full_domain_and_servername computer_name

   Note

   ACLSE is the required value to identify AX Connector and must be entered in all caps. The computer_name value can be entered as name or domain\name.

3. Optional. To verify the mapping of the SPN account, use the following setspn command:

   setspn -L computer_name

setspn -A ACLSE/axserver.example.com axserver

Prerequisite: Add the Java bin subfolder to your path environment variable to use the klist command without specifying the full path.

set PATH=java_bin_path;%PATH%

1. On the Active Directory Domain Controller server, copy the .keytab file you created with the ktpass command and paste it in the Windows directory of AX Server.
2. In the Windows directory of AX Server, create a file called krb5.ini.

3. From the command prompt, use the following command to verify that the keytab file can be read:

   klist -k

4. To attempt to authenticate, use the following command:

   kinit username@REALM.COM

5. Enter the user's password and press Enter.

[libdefaults]
ticket_lifetime = 24000
default_realm = your_domain
default_keytab_name = path_to_your_keytab_file
dns_lookup_realm = false
dns_lookup_kdc = false
default_tkt_enctypes = rc4-hmac
default_tgs_enctypes = rc4-hmac

[realms]
your_domain = {
  kdc = your_active_directory_server.domain.com:88
}

[domain_realm]
.your_domain = YOUR_DOMAIN
your_domain = YOUR_DOMAIN

1. In Microsoft Internet Explorer, click Tools > Internet Options > Advanced.
2. Under the Security group, select Enable Integrated Windows Authentication and then click Apply.
3. Click the Security tab.
4. Select the Local Intranet icon and then click Sites.
5. In the Local Intranet dialog box, click Advanced and then enter the HTTPS URL for your AX Server instance and click Add.

   Example: https://axserver.ax.com.

6. Click Close, click OK in each open dialog box until the Internet Options dialog box closes and restart Internet Explorer.

The updated settings take effect the next time Internet Explorer is launched.