As an alternative to Step 2 of Install the HttpSecurityService for Windows Silent SSO with SPNEGO, the required Computer account can be created manually in AD DS.
To create the Computer account manually, HssSetup is only used to acquire the correct data, generate the properties file and change the password. These steps do not require additional privileges.
As in the non-manual scenario, start by running HssSetup with a filename based on the desired Computer account name (like jespa1.prp in this example). Enter the domain, accept the Computer account name and complete the URL.
However, when asked to create the Computer account, enter n for "no" to cancel wizard mode and period (.) to exit HssSetup:
C:\tmp>jespa-2.1.0\bin\HssSetup.sh jespa1.prp HttpSecurityService Setup / Jespa 2.1.0 AD DS DNS domain: mega.corp DcLocator selected DC: dcb3.mega.corp Computer account name [jespa1]: Enter the HTTPS URL that will be used by most clients exactly as it will appear in the address bar of a browser. HssSetup will attempt to retrieve the TLS certificate from the TCP server and port specified in the URL. Browser URL: https://rkyas15.mega.corp:8443 CN=jespa1: objectClass: [computer] sAMAccountName: jespa1$ name: jespa1 msDS-SupportedEncryptionTypes: 0x00000010 aes256-cts-hmac-sha1-96 servicePrincipalName: [HTTP/rkyas15.mega.corp] Create Computer account jespa1$ in domain mega.corp? [y]: n jespa.setup.RollbackException: Failed to create account Reloading properties from file -- provider.classname: jespa.spnego.SpnegoSecurityProvider dns) jespa.dns.servers: 10.44.100.22 site) jespa.dns.site: BASNA url) bindings.cert.url: https://rkyas15.mega.corp:8443 bindings.cert.hash: A71F2439E0A6511992CEEF5A8095850B spn) bindings.targetSpns: HTTP/rkyas15.mega.corp,HTTP/basn15.mega.corp jespa.service.acctname: jespa1$@mega.corp jespa.service.password: HSS SETUP / jespa1.prp C) Create Computer account R) Password reset v) Validate s) Save .) Exit > . C:\tmp>
Open the properties file with a text editor and set a long but easy to type temporary password like:
jespa.service.password = TempPassMoonBikeJump
Note: Password complexity requirements do not apply to Computer accounts.
Save the file. The properties file is now complete minus changing the password later and any application specific properties like fallback.location or excludes.
Now create the Computer account in AD DS. Any method can be used that is equivalent to the folowing method using ADUC and the Set-ADAccountPassword PowerShell cmdlet.
Go to Server Manager > Tools > Active Directory Users and Computers, right-click on the container for the new Computer account, select New > Computer, enter the Computer account name (jespa1 in this example) and click Ok.
Right-click on the new account, select Properties > Attribute Editor.
Note: The Attribute Editor is visible only when ADUC > View > Advanced Features is enabled.
Modify the following three attributes with values like:
msDS-SupportedEncryptionTypes: 16 userAccountControl: 4096 servicePrincipalName: HTTP/rkyas15.mega.corp
The value 16 is AES256-CTS.
The value 4096 is WORKSTATION_TRUST_ACCOUNT.
The servicePrincipalName attribute is the first SPN from the bindings.targetSpns property. More SPNs can be added but, to minimize chances of future SPN conflicts and generally reduce unnecessary SPN namespace pollution, it is recommend that only essential SPNs are added. Technically, an SPN is required for each URL that browser clients will use to initiate Kerberos authentication.
Click OK to commit the modifications.
Now set the password by running the following PowerShell command:
PS C:\Users\Administrator> Set-ADAccountPassword -Reset -Identity jespa1$ Please enter the desired password for 'CN=jespa1,CN=Computers,DC=mega,DC=corp' Password: ******************** Repeat Password: ********************
Notice the $ symbol in jespa1$ is required here.
Enter the temporary password created previously (TempPassMoonBikeJump in this example).
The Computer account in AD DS should now be synchronized with the properties in the file.
Finally, go back into HssSetup, change the password with the P) option and validate the installation with the v) option like:
...
> P
Successfully changed new random password on Computer account
>
--
provider.classname: jespa.spnego.SpnegoSecurityProvider
dns) jespa.dns.servers: 10.15.15.22
site) jespa.dns.site: USNJ
url) bindings.cert.url: https://rkyas15.mega.corp:8443
bindings.cert.hash: 6710B2A07EC5CE1520DBFA0592D1F150
spn) bindings.targetSpns: HTTP/rkyas15.mega.corp
jespa.service.acctname: jespa1$@mega.corp
jespa.service.password: ^p#O****************************
HSS SETUP / jespa1.prp
P) Password change
R) Password reset
v) Validate
s) Save
.) Exit
> v
...
Authentication successful: JESPA1$@MEGA.CORP > HTTP/rkyas15.mega.corp
[WXXX] bindings.targetSpns.policy: This property should be set to 2 to require SPN checking
[WXXX] bindings.cert.hash.policy: This property should be set to 2 to require channel bindings
Validation completed: 2 possible issues detected
> .
$
The warning messages are normal but for maximum security those two properties should be uncommented in the properties file.
Manual creation of the Computer account is complete!
See also: Install the Jespa Example Webapp
See also: Install the HttpSecurityService for Windows Silent SSO with SPNEGO