K2 Service Account
In a distributed environment where components are installed on more than one server, Kerberos security must be configured. One of the components of Kerberos is the Service Principal Name (SPN). Whenever user credentials must be passed from one system to another, the system that is attempting to pass the credentials must be trusted for delegation. For this step to take place successfully, Kerberos delegation must be configured.
    
        
            
                |  | Configuring SPNs is an advanced task and should only be performed by an appropriately trained professional. The steps and configurations given in this help file are to be used as a guide  - your system may require additional configuration due to different hardware and software compatibilities. | 
        
    
 
There are two sets of SPNs that need to be set up for the K2 Service Account:
The following placeholders are used in the commands:
    - domain\K2 Service Account - The K2 Service Account that runs the K2 Service
- MachineName - The name of the computer on which the K2 Service is running
- MachineName.FQDN - The fully qualified domain name of the computer on which the K2 Service is running
    
        
            |  | Be sure to set all the SPNs as listed below. Also, the service account is required so be sure to specify the account properly. The SPNs listed below are for K2 blackpearl. | 
    
    
        
            |  | If you have a K2 Server farm running on a cluster, be sure to use the name of the cluster and the fully qualified cluster name instead of a single node's machine name. | 
    
Open a command prompt on a server that has the Windows Support Tools installed, and execute the following commands:
    - setspn -A K2Server/MachineName:5252 domain\K2 Service Account
- setspn -A K2Server/MachineName.FQDN:5252 domain\K2 Service Account
- setspn -A K2HostServer/MachineName:5555 domain\K2 Service Account
- setspn -A K2HostServer/MachineName.FQDN:5555 domain\K2 Service Account
    
        
            
                |  | If you are installing K2 blackpearl on an NLB environment, the MachineName will change to the the LBHostServerName | 
        
    
 
After the commands have successfully executed, you can verify the SPNs were set by executing the following command:
    - setspn -L domain\K2 Service Account
    
        
            
                |  | While infrastructure changes are required by K2, each environment is different and has its peculiarities which must be taken into account. Modifying the infrastructure could have unforeseen results if the changes are not appropriately understood or managed. Given the broad spectrum of underlying infrastructure utilized, it is recommended that a panel or committee with appropriate skill in each area concerned be assembled to outline the underlying infrastructure changes and gauge the impact of the required changes. | 
        
    
 
            
            See Also