Configuring service accounts with unconstrained delegation

You need to configure the service accounts for the Directory Support Service (DSS) and the Application Server to operate with unconstrained delegation in distributed setup.

Note:

Setting up of Service Principal Names (SPNs) are important for a successful installation and configuration of a distributed setup. You must execute the procedure to configure the service accounts for unconstrained delegation before you install the CCS components.

To configure the service accounts with unconstrained delegation

  1. Identify the user accounts to be used as the service accounts for DSS and Application Server.

    The user accounts must have the necessary privileges.

  2. Create the Service Principal Name (SPN) for the Application Server and the DSS services.

    The SPN for both the short NetBIOS name and the fully-qualified host name (FQDN) is created. While delegation can work without SPN in Windows Server 2000 domains, it can also fail depending on the operating system that is in use.

    You must associate an SPN to a single user account.

    The service-name portion of the SPN must match the following:

    • SetSpn -A Symantec.CSM.AppServer/appserver_machine domain\appserver_account

    • SetSpn -A Symantec.CSM.AppServer/appserver_machine.fqn domain\appserver_account

    • SetSpn -A Symantec.CSM.DSS/dss_machine domain\dss_account

    • SetSpn -A Symantec.CSM.DSS/dss_machine.fqn domain\dss_account

  3. Enable delegation for the Application Server's service account.

    The following service accounts are to be enabled:

    Windows Server 2000 Domain

    In the user properties for the Application Server account, go to Account tab and check the option, Account is trusted for delegation.

    Windows Server 2003 Domain

    In the user properties, go to the Delegation tab and select the option, Trust this user for delegation to any service (Kerberos only).

  4. When installing the Application Server, specify the FQDN when prompted by the setup for the computer that installed the DSS. This is not mandatory, but sometimes specifying a short NetBIOS name can cause problems.