Get documents about "Kerberos-SPN
Document Sample
Service Accounts and Kerberos SPN’s
Service Account Name Account Purpose
Production
Used to run
SQL Server
<domain>\prodsql SQL Server
service account
services
Used by the
UPS sync
Active Directory service to
<domain>\prodsync
Sync account synchronize
user profile
properties
Used to install
SharePoint
SharePoint setup (setup.exe and
<domain>\prodsetup
account the
configuration
wizard)
Used to
configure and
manage the
server farm
and act as the
SharePoint
application
<domain>\prodfarm server farm
pool identity
account
for the
SharePoint
Central
Administration
Web site
Used for
service
General applications
<domain>\prodserviceapp SharePoint app that do not
service account. require a
specific
account
SharePoint Used to read
search sharepoint
<domain>\prodcrawl Application pool content
and service nd run
account application
For UPS
SharePoint User applications
Profile Service that do not
<domain>\prodprofile
application require a
account specific
account.
For MMS
SharePoint applications
managed that do not
<domain>\prodmms
metdata service require a
account specific
account.
SharePoint
Business Specific
Connectivity managed
<domain>\prodbcs
Service service account for
application BCS
account
Sharepoint
Application
application pool
<domain>\prodweb pool account
account for
for Insite
Intranet
Sharepoint
Application
application pool
<domain>\prodteam pool account
account for
for Insite
Team Sites
Sharepoint
<domain>\SharepointAdmin administration
accounts
<domain>\superreader cache account
<domain>\superuser cache account
Required for
<domain>\perform performance
testing
Configuration Specifics
domain user account. For SPN you have to
provide the end point, this will not be the Alias,
but the server name. Most documentation did
say you can use the Alias but this did not work
in my case.
Domain user account. Requires specific
permissions to AD. Used when connecting to
AD with the Sync service. Please read NOTE1
Domain account, a member of the
Administrators group on each server on which
Setup is run, SQL Server login on the computer
that runs SQL Server, and a member of the
following SQL Server security roles:
securityadmin & dbcreator
Domain account (Additional permissions are
automatically granted for the server farm
account on Web servers and application
servers that are joined to a server farm). This
account need local admin rights during the
setup of FIM services. MUST log in at this
account during setup of the FIM (user profile
sync) service.
Full control over the User profile service
application (i.e. is an administrator of the user
profile service)
Requires read only access to content sources.
Domain account.
Domain account.
Used for the service and for the BCS entities.
Domain account.
Domain account.
Domain account. Member for farm
adminsAdditional permissions are
automatically granted for the server farm
account on Web servers and application
servers that are joined to a server farm.The
server farm account is automatically added as a
SQL Server login on the computer that runs
SQL Server. The account is added to the
following SQL Server security roles:
dbcreator fixed server role securityadmin
fixed server role db_owner fixed database
role for all SharePoint databases in the server
farm
Full control policy on web applications. Needs
to be domain user. Never login on this
account to sharepoint
Read control policy on web applications. Needs
to be domain user. Never login on this
account to sharepoint
Needs server access to obtain counters. Needs
to be domain user as well.
Kerberos SPN
Note: <service>/<server name or url>:<port> <account>
MSSQLSvc/<server name>.martinogorman.local:1433 <domain>\prodsql
MSSQLSvc/<server name>:1433 <domain>\prodsql
MSSQLSvc/<server name>.martinogorman.local <domain>\prodsql
MSSQLSvc/<server name> <domain>\prodsql
For Mirror if used
MSSQLSvc/<server name>.martinogorman.local:1433 <domain>\prodsql
MSSQLSvc/<server name>:1433 <domain>\prodsql
MSSQLSvc/<server name>.martinogorman.local <domain>\prodsql
MSSQLSvc/<server name> <domain>\prodsql
HTTP/people.martinogorman.co.uk <domain>\prodprofile
HTTP/people <domain>\prodprofile
(General SharePoint app service account or this account can be used
depending on architecture)
Not required for initial setup, only required if needed.
HTTP/website.martinogorman.co.uk <domain>\prodweb
HTTP/website <domain>\prodweb
HTTP/teamsites.martinogorman.co.uk <domain>\prodteam
HTTP/teamsites <domain>\prodteam
