A service principal is the name by which a client uniquely identifies an instance of
a service, and is associated with the security principal in whose security context the
service executes. To add a service principal, you must first create a Kerberos Realm and add
a Key Distribution Center.
To add a DNS service principal for a Kerberos Realm:
-
From the configuration drop-down menu, select a configuration.
-
Select one of the following tabs: IP Space,
DNS, Devices,
TFTP, or Servers. Tabs
remember the page you last worked on, so select the tab again to ensure
you're on the Configuration information page.
-
Select the Kerberos Realms tab. Under
Kerberos Realms, click the name of a Kerberos
realm.
-
Click the Service Principals tab and click
New.
-
Under General, set the name, key version number, and
password:
- Name—enter the name for the Kerberos service
principal defined in the User Logon name field in Windows configuration
section. The typical syntax for service principal names is
primary/instance. Primary is either a username or the
name of a service. Instance provides information that qualifies
the primary, such as describing the intended use of the credentials for
a user or the fully qualified hostname for a host. Example:
DNS/<adonis server name>.example.com
- Key Version Number—enter the
msDS-KeyVersionNumber attribute value as displayed in
ADSI Edit on the Windows DC for the
principal’s Kerberos key. If you use ktpass command, the key version
number (vno#) value can be found in the output .keytab
file.
- Password—enter the principal’s Kerberos password.
This is the AD user account password created on Windows DC.
-
Under KDCs, leave the Override Realm
KDCs check box unchecked to have all available KDCs
automatically assigned in order.
-
Under Change
Control, add comments, if required.
-
Click Add.