Enable trust for delegation for web servers
Actions described in this article are required only if Adaxes service and Web interface are installed on different computers.
On each computer where Adaxes Web interface is installed:
Launch Internet Information Services (IIS) Manager.
In the Connections pane, expand the server that hosts Adaxes Web interface and select Application Pools.
In the Application Pools pane, select the Application Pool used for Adaxes Web interface.
In the Actions pane, click Advanced Settings.
In the Process Model section, set Identity to NetworkService.
In the Connections pane, expand Sites and then expand the web site that hosts Adaxes Web interface.
Select the virtual directory of the Adaxes Web interface application.
In the Home pane, double-click Configuration Editor.
In the Section drop-down menu, navigate to system.webServer/security/authentication and select windowsAuthentication.
Set useAppPoolCredentials to TRUE.
On the file system, navigate to the App subfolder of the folder where Adaxes Web interface is installed, which is C:\Program Files\Softerra\Adaxes 3\Web Interface by default.
Open the Softerra.Adaxes.Adsi.dll.config file with a text editor.
Locate the application/channels/channel XML element.
Set the servicePrincipalName parameter to Adaxes/<service_FQDN>, where <service_FQDN> is the fully qualified domain name of any computer where your Adaxes service is installed. For example:
<application> <channels> <channel ref="tcp" priority="2" secure="true" servicePrincipalName="Adaxes/myadaxesservice.company.com"> ... </channel> </channels> </application>
If you have multiple instances of Adaxes Web interface, specify the same computer name for each Web interface.
Save the file.
To register the service principal name for your Adaxes service:
On any computer where Adaxes service is installed, launch the command prompt.
- Open Windows Start menu.
- Type cmd.
- Press Enter.
Type the following command and press Enter:
setspn -U -A Adaxes/<service_FQDN> <DOMAIN\username>
- <service_FQDN> - The fully qualified domain name of the computer where Adaxes service is installed. Use the computer name that was specified on step 16 of the above instructions.
- <DOMAIN\username> - The username of the Adaxes service account.
If you have multiple instances of Adaxes service sharing common configuration:
- All instances of Adaxes service must use the same service account.
- You need to register the service principal name only for one instance of Adaxes service in the configuration set.
Enable trust for delegation for each computer where Adaxes Web interface is installed:
- Launch Active Directory Users and Computers.
- Locate the computer where Adaxes Web interface is installed.
- Right-click the computer and click Properties in the context menu.
- Activate the Delegation tab and select Trust this computer for delegation to specified services only.
- Select Use Kerberos only.
- Click Add.
- Locate the Adaxes service account and click OK.
- In the Available services list, select Adaxes and click OK.