To configureFME Flowto use single sign-on authentication, the Windows domain must recognizeFME Flowas a domain service. Three steps are required:
- RepresentFME Flowas a domain service by assigning it a service principal name (SPN).
- Register the SPN (or SPNs) to theservice account.
- Ensure that the service account requires Kerberos pre-authentication.
A) Assign a Service Principal Name
An SPN has the form:
Note ">
NoteIfFME Flowis configured for access through a DNS alias (CNAME), SPNs must also be registered using this alias.
To obtain the unqualified and fully-qualified versions of the host name:
- From theFME Flowhost machine, click the Start menu, right-click 'Computer' or 'My Computer' and select 'Properties'.
- For the unqualified host name, refer to 'Computer name'.
- For the fully-qualified host name, refer to 'Full computer name'.
For example, if the unqualified host name is 'MyETLServer' and the fully-qualified host name is 'MyETLServer.domain.net', the SPNs are:
- http/MyETLServer
- http/MyETLServer.domain.net
B) Register an SPN to a Service Account
- From theDomain Controller, open a command prompt (cmd.exe) via the Start menu.
- Typesetspn -S
- Ensure that the command succeeded with the message 'Updated object'. If the message 'Unable to locate account ...' appears, the account name is incorrectly specified.
- Repeat until all SPNs are added.
For example, using the SPNs in the previous example, and supposing the service account is 'fmeflowadmin', the following commands would be entered:
setspn -S http/MyETLServer fmeflowadmin
setspn -S http/MyETLServer.domain.net fmeflowadmin
C) Ensure the Service Account Requires Kerberos Pre-authentication:
- From theDomain Controller, open 'Active Directory Users and Computers' via the Start menu.
- In the console tree, navigate to the service account.
- Right-click the service account, and select Properties.
- Select the Account tab.
- Under Account Options, scroll to the bottom and ensure that 'Do not require Kerberos preauthentication' is unchecked.
- Click Ok.