[Version: 2022 - Spring]
[Build: 22.02.25005]
Requirements
- The IIS needs to be run as local system or network service (default)
- Actual server names must be used when accessing Targit Server and Anywhere (IP address or localhost will not work)
Computer names used in below examples
- TSERVER - Server running the TARGIT Server service
- ASERVER - Server Running the Anywhere service (in IIS)
FQDN Domain is TEST.LOCAL
Service Principle Name (SPN) setup for servers and service account
Run the following commands:
- SETSPN –A HTTP/TSERVER:1301 TEST\TSERVER
- SETSPN –A HTTP/TSERVER.TEST.LOCAL:1301 TEST\TSERVER
If dns aliases are used for either the Targit server or the anywhere server those must be registered
The SPN must be matching the address used in the browser/windows client
ex. if the brower url for anywhere is http://AW.UniversalImports.com the SPN should be set as
- SETSPN –A HTTP/AW.UniversalImports.com TEST\ASERVER
NOTE: It does not matter which account is used for the Targit Server service. The accounts used when setting SPN's must be the computer accounts
NOTE: SETSPN command parameters are not supported on Windows Server 2012 (and earlier).
Front End Server(s) trusted for delegation
- Open Active Directory Users and Computers on the domain controller
- Right click on the computer account for the front end server and select Properties.
- Left click the Delegation tab and select the radio option Trust this computer for delegation to specified services only.
- Add the TServer account and select the HTTP port 1301 server (this comes from the SPN created earlier)
- Restart the IIS server (the entire server, not just IIS).
- Repeat for each frontend server.
The following is a screenshot of the delegation tab.
TARGIT Anywhere Server targitsettings.json changes to reflect multiple servers
- Open C:\inetpub\wwwroot\TouchServer\targitsettings.json in a text editor like Notepad
- Update the server name to the value of the name the SPN is registered for in this case TSERVER or TSERVER.Test.Local
{
"TargitSettings": {
"Server": "TSERVER",
"SessionTimeout": 60
}
}
Restart the IIS server.
Change Windows Security to Negotiate TARGIT Management Studio
if you want to use "Kerberos only" change the security model in TARGIT Management
- In TARGIT Management Studio select the Security tab.
- Under the security model select Change Security Model. Change the Windows Security – Security Package to Negotiate.
Comments
Please sign in to leave a comment.