Disable NTLM and enforce Kerberos

Adaxes uses Windows authentication for remote communication between its client components and the Adaxes service. By default, the TCP remoting channel uses Kerberos, with fallback to NTLM.

To force the channel to use Kerberos, you need to register a Service Principal Name (SPN) for the Adaxes service. An SPN allows the Key Distribution Center (KDC) to associate the service with an account and generate a valid service ticket.

To register an SPN for Adaxes service:

  1. Launch the command prompt on any computer where Adaxes service is installed.

  2. Execute the following command:

    setspn -U -A Adaxes/<service_FQDN> <DOMAIN\username>

    In the command:

    • <service_FQDN> – the fully qualified domain name of the computer where Adaxes service is installed.
    • <DOMAIN\username> – the username of the Adaxes service account.

If you have multiple Adaxes service instances sharing configuration, all instances must use the same service account. You also need to register the service principal name only for one instance.

Configure Adaxes clients

You also need to specify the SPN in the remoting configuration of Adaxes client components. The configuration file for every component is named identically – Softerra.Adaxes.Adsi.dll.config. However, it is located in different folders.

To enforce Kerberos for a particular Adaxes client:

  1. Navigate to the folder where the client component is installed. Replace the <InstallLocation> placeholder with the Adaxes installation location, which is C:\Program Files\Softerra\Adaxes 3 by default.

    • Component

    • Location

    • Web interface

    • <InstallLocation>\Web Interface\App

    • Web interface configurator

    • <InstallLocation>\Web Interface\Configurator

    • REST API

    • <InstallLocation>\REST API

    • SPML Provider

    • <InstallLocation>\SPML Web Service

    • Administration console

    • C:\Users\All Users\Softerra\Adaxes 3

  2. Open the Softerra.Adaxes.Adsi.dll.config file with a text editor.

  3. Locate the application/channels/channel XML element.

  4. Set the servicePrincipalName parameter to Adaxes/<service_FQDN>, where <service_FQDN> is the fully qualified domain name of the computer for which you created an SPN.

    <application>
    <channels>
        <channel ref="tcp" priority="2" secure="true" servicePrincipalName="Adaxes/myadaxesserver.example.com">
            ...
        </channel>
    </channels>
</application>

  5. Save the file.

If you have multiple instances of Adaxes web interface, you must change the remoting configuration for every instance.

© Softerra 2022. All rights reserved.
Contact us