By default, in Orchestrator, the NTLM authentication protocol is used when logging in with your Active Directory credentials.
To switch to Kerberos, you are required to switch the application pool to NetworkService and register the Service Principal Name (SPN) which exists in the Active Directory for the domain account used to run the service with which the client is authenticating.
To perform this change, perform the following steps:
- Open the Command Prompt.
- Change the directory to
C:\Windows\System32, by using the
- Give the
setspn.exe -a https://<machine> <domain account>command, where:
https://<machine>- represents the URL at which your Orchestrator instance is reachable, such as
<domain account>- represents the name or domain\name of the machine on which Orchestrator is installed, or the user account, such as
To check that Kerberos is used:
- Log in to Orchestrator using AD credentials.
- Open Event Viewer.
- Look for the Microsoft Windows security audit and select it. Details about the action are updated on the General tab.
- Under the Detailed Authentication Information section, the Logon Process should be Kerberos, as displayed in the following screenshot.
Updated 3 months ago