By default setup uses a fully qualified host name (FQHN) of the computer where WPM is installed to access the Administrative console, portal and Web services, e.g., http://NetBIOS-Name.Domain-Name/sps. This name is also used in a self-signed SSL certificate that is generated during installation in case if an SSL certificate is not available for the corresponding IIS Web site.
Default configuration is common for intranet scenarios. However, in some cases, especially in internet scenarios, it is required to use a custom domain name, e.g., www.site-custom-name.com. In this case it is required to perform additional configuration to enable Windows authentication for all security scenarios. Internally this name is used for Kerberos authentication and if system is not configured properly, authentication fails with the following error:
The HTTP request is unauthorized with the client authentication scheme ‘NTLM’. From the server, the authentication header “Negotiate, NTLM” was received. —> System.Net.WebException: The remote server returned an error: (401) Unauthorized.
This error occurs because the Kerberos configuration has been changed in IIS 7.0 and higher. Service Principal Name (SPN) is required only for the IIS machine account and not for Service Account unlike in IIS 6.0.
To configure a custom domain name, perform the following steps:
- In Active Directory configure Service Principal Name (SPN) for the custom domain name. The Setspn.exe command-line utility could be used to configure SPNs.
By default only members of the Domain Admins role have permissions to modify SPNs.
- Run the following command to check the existing set of SPNs for the machine account and make sure that SPN HTTP/<site-custom-name> is not registered yet:
> Setspn.exe -L <myIISserver-NetBIOS-name>
- Use the following command to add a new SPN:
> Setspn -a HTTP/<site-custom-name>
<myIISserver-NetBIOS-name> is the IIS machine account and <site-custom-name> is the custom host/host header name for the Web site URL, for example:
> Setspn -a http/www.mysite.com
- Clear ticket cache for the corresponding logon session using the Klist.exe command-line utility:
> klist purge
- Make sure that the custom domain name is set as a discovery host name in sps.config, e.g., Matrix42.ServiceLayer-discoveryHostName=”www.mysite.com.”
<Matrix42.ServiceLayer servicesHost="localhost" discoveryHostName="<site-custom-name>" ... />
- Make sure that the SSL certificate is installed for the custom domain name for the corresponding Web site in IIS.