Windows Authentication, GroupShare and the requirement of setting a Service Principal Name

 
 

What is Service Principal Name?

 

I would be explaining it here, however, I think the best information source in this case is still Microsoft itself:

Microsoft Developer Network - Service Principal Name

 

 

What is the Service Principal Name doing?

 

I try to explain it as simple as possible :)

 

In short:

It enables you to use the Windows Authentication method using the mutual Kerberos authentiction (See Microsoft TechNet: What is Kerberos Authentication?)

 

More detailed:

You set a Service Principal Name (SPN) on a specific server for a service account that is responsible for managing this service to allow the handling of permitting the mutual Kerberos authentication.

 

Therefore, to use the Kerberos authentication, it is required for the Windows security to determine the (user-)account that a service is using. This is realized by registering the Service Principal Name for the server and the (user-)account which the service is using.

 

 

What has this to do with GroupShare and Studio?

 
For Windows authentication feature to work on the SDL Trados GroupShare server, you need to set a Service Principal Name (SPN) to identify the account running Trados GroupShare services with the Fully Qualified Domain Name (FQDN) of the web application.
 
 

Set the Service Principal Name for your GroupShare installation to enable Studio clients access

 

Before you begin you need an account that has Domain Admin permissions or has the Validated write to service principal names permission delegated.

 

  1. Launch an elevated command line session.
  2. Run:
  • for http:

setspn -S http/servername serviceaccount

  • for https:

setspn -S https/servername serviceaccount


Where servername is the fully qualified domain name and serviceaccount is the account running the Trados GroupShare services. This is an example of how the syntax could look like:

setspn -S http/gsserver.sdl.com global\adminuser