Please also have a look in our OnlineHelp for further information.
Target principal #
To use Kerberos transport encryption or authenticate an Active Directory user, a Kerberos Target Principal Name (TPN) is required. This can be either a User Principal Name (UPN) or a Service Principal Name (SPN).
By default, the XU Service is executed under the Local System Account.
In the AD, this user acts as a computer account. By default, the SPN is assigned to the computer account in the following form:
| field | syntax | example value |
|---|---|---|
| XU Server | [host].[domain]:[port] |
TODD.theobald.local:8064 (or localhost:8064) |
| Target Principal | HOST/[hostname]@[domain] |
HOST/TODD.theobald.local@THEOBALD.LOCAL |
The Target Principal Name must correspond either to the UPN of the user under which the XU Windows Service is running, or to an SPN assigned to this user.
Note: The Target Principal Name only needs to be changed in the Xtract Universal Designer login window if the service account of the XU Windows Service has been changed.
If the service runs under another account #
Deviating from the standard, the service can also be executed under a different account e.g. User Principal Name (UPN) or Service Principal Name (SPN).
The UPN or SPN of the Xtract Universal Windows service executes the write processes for the target environments in this context.
Accordingly, this user must have necessary write permissions for the database.
User Principal Name (UPN) #
An UPN is assigned in the following form:
| field | syntax | example value |
|---|---|---|
| XU Server | [host].[domain]:[port] |
TODD.theobald.local:8064 (or localhost:8064) |
| Target Principal | [AD-user]@[domain] |
steffan@theobald.local |
Note: After changing the user context of the Windows service, the UPN or SPN for logging in to the Xtract Universal Server must also be adjusted.
Service Principal Name (SPN) #
The service class and host name are at least required for authenticating a service instance to a logon account. In general,
Domain Admin rights are required for processing Manage Service Accounts.
When dialing into a remote server where the service is not used in the local environment, both an UPN and an SPN can be used in the following form:
| field | syntax | example value |
|---|---|---|
| XU Server | [host].[domain]:[port] |
theosoftw2012r2.theobald.local:8064 |
| Target Principal as UPN | [AD-user]@[domain] |
svc_xusrv@theobald.local |
| Target Principal as SPN | [service class]/[host]@[domain] |
HTTP/theosoftw2012r2.theobald.local@THEOBALD.LOCAL |
Note: Xtract Universal can be used as a distributed application on a central application instance in the company network using appropriate UPNs or SPNs.
All users connect to this remote server in the company network using the locally installed Xtract Universal Designer.