Configuring Integrated Windows Authentication

On the Active Directory Domain Controller server, click Start > All Programs > Administrative Tools > Active Directory Users and Computers.
Right-click the domain entry in the treeview where you want to create the new SPN account and select New > User.
Enter the requested information and click Next.
Configure the user password and click Next:
1. Enter the account password.
2. Deselect User must change password at next logon.
3. Select Password never expires.
Click Finish.

On the Active Directory Domain Controller server, open a command prompt and change directories to the directory where ktpass.exe is located.
The default location is c:\Program Files\Support Tools.

To map the authentication service to the SPN account, enter the following keypass command:

ktpass /out filename /princ name /pass password /mapuser local_username /ptype principal_type /crypto encryption_type

For ktpass syntax, see Microsoft Ktpass reference.

Example

ktpass /out 'C:\ax.keytab' /princ HTTP/axserver.ax.com@AX.COM /pass pass1234 /mapuser AXSSO /ptype KRB5_NT_PRINCIPAL /crypto RC4-HMAC-NT

Show me how

On the Active Directory Domain Controller server, open a command prompt and change directories to the directory where setspn.exe is located.
The default location is c:\Program Files\Support Tools.
To register the SPN, enter the following setspn command:
```
setspn -A ACLSE/full_domain_and_servernamecomputer_name
```
Note
ACLSE is the required value to identify AX Connector and must be entered in all caps. The computer_name value can be entered as name or domain\name.
Optional. To verify the mapping of the SPN account, use the following setspn command:
```
setspn -L computer_name
```

Example

setspn -A ACLSE/axserver.acl.com axserver

Show me how

Prerequisite: Add the Java bin subfolder to your path environment variable to use the klist command without specifying the full path.

set PATH=java_bin_path;%PATH%

On the Active Directory Domain Controller server, copy the .keytab file you created with the ktpass command and paste it in the Windows directory of AX Server.
In the Windows directory of AX Server, create a file called krb5.ini.
From the command prompt, usethe following command to verify that the keytab file can be read:
```
klist -k
```
To attempt to authenticate, use the following command:
```
kinit username@REALM.COM
```
Enter the user's password and press Enter.

Example krb5.ini file

[libdefaults]
ticket_lifetime = 24000
default_realm = <domain>
default_keytab_name = <path_to_keytab_file>
dns_lookup_realm = false
dns_lookup_kdc = false
default_tkt_enctypes = rc4-hmac
default_tgs_encrypes = rc4-hmac [realms]
<domain> = {
  kdc = <adserver.domain.com>:88
} 
[domain_realm]
<.domain> = <DOMAIN>
<domain> = <DOMAIN>

Show me how

In Microsoft Internet Explorer, click Tools > Internet Options > Advanced.
Under the Security group, select Enable Integrated Windows Authentication and then click Apply.
Click the Security tab.
Select the Local Intranet icon and then click Sites.
In the Local Intranet dialog box, click Advanced and then enter the HTTPS URL for your AX Server instance and click Add.
Example: https://axserver.ax.com.
Click Close, click OK in each open dialog box until the Internet Options dialog box closes and restart Internet Explorer.

The updated settings take effect the next time Internet Explorer is launched.

Configuring Integrated Windows Authentication

Create an SPN account

Map the authentication service to the SPN account

Register an SPN for the AX Connector service

Test the SPN account mapping

Enable Integrated Windows Authentication from Internet Explorer