Blackberry PRD-10459-003 - Enterprise Server For IBM Lotus Domino Administration Manual page 269

Administration Guide
• Verify that the application server that hosts the intranet site and the web application that runs on the application
server support Kerberos™ authentication.
• Verify that you have permission to update the Microsoft® Active Directory® account in Microsoft Active
Directory.
• Verify that you have access to the Windows Server® setspn tool that is included with the Windows Server Support
Tools. For more information about the setspn tool, visit
• If you did not configure a Microsoft Active Directory account to delegate access to an intranet site or shared
folder, in Microsoft Active Directory, you must create a Microsoft Active Directory account that should have the
following conditions:
• a password that meets the security requirements of your organization
• the user is not required to change their password the next time that the user logs in
• the user's password never expires
• If you configured a pool of application servers to host the intranet site, and the pool is running on Microsoft®
IIS and is located behind a load balancer, specify a user account (also known as the identity) for the pool that
hosts the intranet site. For more information, see
10).aspx.
Configure the Microsoft Active Directory account to delegate access to an intranet
site
You are required to have only one Microsoft® Active Directory® account in each Microsoft Active Directory domain
that includes the resources that you want to turn on Integrated Windows® authentication for.
For more information about configuring the Microsoft Active Directory account using setspn and Microsoft Active
Directory, visit www.blackberry.com/btsc
1. If a pool of application servers host a intranet site and the pool is running on Microsoft® IIS and is located behind
a load-balancer, use setspn or ADSI to add the SPNs of the intranet site to the user account (also known as the
identity) of the pool. You must configure the SPNs using the FQDN and the name of the intranet site that users
type into their browsers (for example, if users type http://intranet_site in their browsers, the name of the
intranet site is intranet_site).
2. In Microsoft Active Directory, in the Microsoft Active Directory account properties, if the Delegation tab does
not display, update the default HOST SPN registrations for the Microsoft Active Directory account.
3. In the Microsoft Active Directory account properties, on the Delegation tab, configure the following settings:
• trust this user for delegation to specified services only
• use any authentication protocol
4. Click Add.
5. Perform one of the following tasks:
• If a pool of application servers hosts the intranet site and the pool is running on Microsoft IIS and is located
behind a load-balancer, select the user account that runs the application pools in the Microsoft IIS servers.
• If the intranet site is hosted by one application server, select the application server that hosts the intranet
site.
Configuring Integrated Windows authentication so that users can access resources on your
http://technet.microsoft.com
http://technet.microsoft.com/en-us/library/cc771170(WS.
to read article KB22726.
organization's network
to read Setspn Overview.
267