When Kerberos authentication Fails, Password Manager Service fails to start or users are not able to register their security questions, the Password Manager Service account may not have all the required rights or privileges. To resolve this, use the existing Network Service or Local Service accounts to run the Password Manager Service.
Note: Only use the "Local Service" account if the Password Manager Central store is located on the same computer as the service machine.
If you choose to create a domain account as the service account, verify the account credentials supplied in the Service Configuration have the following rights:
- The user account must be a member of the local administrators group on the service computer
- The user account must have the "logon as service" privilege on the service computer
- The user account must have a registered Service Principal Name (SPN)
Registering a Service Principal Name for the Password Manager Service account
When registering a Service Principal Name (SPN), you are essentially mapping a service principal name to the Windows account that is used to start the Password manager service. This is needed because the Password Manager Agent will use the server's hostname and the TCP/IP port to connect to the Password Manager Service's SPN. If no SPN has been mapped to the Password Manager Service Account then Windows will not be able to determine the account associated with the Password Manager service and authentication will fail.
Setspn.exe is available in the Support Tools pack located on your Windows Server 2003 CD-ROM, or can be downloaded from Microsoft. Setspn.exe requires the user to be logged in with domain administrator privileges.
When setting the SETSPN the following syntax must be used. Ensure you also specify the FQDN for the server name. servername is the server which has Citrix Password Manager service installed.
SetSPN -A http\ servername domain\username
If the designated port is changed the proper syntax would be:
SetSPN -A http\ servername : PORT domain\username
If you register duplicate SPNs accidentally, you can use Setspn.exe to delete the duplicate SPN:
SetSPN -d http\ servername : PORT domain\username
In an attempt to help the user with the configuration of the Password Manager Service, the Service Wizard will verify that the account entered has the appropriate permissions and SPN set before allowing the user to proceed with the configuration.
Delegating the Password Manager Service Account
After issuing the appropriate command line for the environment, complete delegation by using the 'AD users and computers' snap-in. Navigate to the Password Manager Server (Computers > Password Manager Service) and Choose to view Properties.
Click on the Delegation tab, select "Trust this computer for delegation to specified services only," and click Add. When adding the delegation, choose only the username specified above. Click OK
Grant the user the "log on as a service right" and restart the Password Manager Service.
For more information on allowing a user to be trusted for delegation, see the Microsoft Technet article, Allow a user to be trusted for delegation.
Please note that the service principal name syntax is not correct. It shout be:
SetSPN -d http/servername(FQDN) domain\username
SetSPN -d http/servername:PORT(FQDN domain\username
Regards,
Cor Reinhard