Testing the SPN account mapping
You can use the kinit command to test the mapping between the AX Server authentication service and the SPN account. If you can successfully authenticate a user account using the kinit command, the mapping configuration is correct.
In order to use the klist command without specifying the full path each time you use it, you need to add the Java bin subfolder your path. You can do this permanently by updating the Path Environment Variable to include the full path to the Java bin subfolder, or add it temporarily on the command line using the following syntax:
Set PATH=<java_bin_path>;%PATH%
To test the SPN account mapping:
- Copy the .keytab file you created when you ran the ktpass command on the Active Directory Domain Controller server to the Windows directory on the AX Server.
- Create a file named krb5.ini to the Windows directory on the AX Server. An example of the file format is listed below.
- Open the command prompt on the AX Server and
check that the keytab file can be read:
klist -k
- Attempt to authenticate a user with the following syntax:
kinit username@REALM.COM
For example, to authenticate the Administrator user on the AX.COM domain, you need to enter the following command:
kinit Administrator@AX.COM
- Enter the password for the user and the prompt and press Enter.
krb5.ini file example
The following syntax should be used to populate your krb5.ini file. The file should be saved as a plain text file in the Windows directory. The angled brackets (<>) and their contents must be replaced with your site specific settings.
[libdefaults]
ticket_lifetime = 24000
default_realm = <domain>
default_keytab_name = <path_to_keytab_file>
dns_lookup_realm = false
dns_lookup_kdc = false
default_tkt_enctypes = rc4-hmac
default_tgs_encrypes = rc4-hmac
[realms]
<domain> = {kdc = <adserver.domain.com>:88
}
[domain_realm]
<.domain> = <DOMAIN>
<domain> = <DOMAIN>