Change Service Account

This page shows how to run the Xtract Universal service under a dedicated Windows domain user account. After the installation, the Xtract Universal service runs under a virtual service account by default.

The following scenarios require the service to run under a dedicated Windows domain user account:

• Enabling Kerberos authentication for the Xtract Universal web server
• Enabling Windows authentication for an Xtract Universal destination that allows Windows credentials for log on, e.g., SQL Server destination, PostgreSQL destination.
• Enabling SSO with Kerberos SNC
• Enabling SSO with SAP Logon Tickets

Basic Settings

1. Create a Windows AD service account and assign an SPN (Service Principle Name) to the service account in the following format: HTTP/[FQDN of XU Server].
   

   Tip

   Use the setspn command to check the SPNs of a user account.

   

2. Grant access rights to the installation folder of Xtract Universal and all sub folders to the service account as shown in the following screenshot:
   

3. If applicable, make sure the service account has Read access to the private key of the X.509 certificate used by Xtract Universal.
   
4. Let the Xtract Universal service run under the service account. Make sure to use the correct domain, e.g., .company.local instead of .company.com.
   
5. In the Xtract Universal Designer startup window "Connect to Xtract Universal Server", set Authentication to Windows credentials or Custom Credentials (Kerberos authentication).
   
6. Enter the User Principal Name (UPN) of the service account in the Target Principal field. For more information, see Knowledge Base Article: Target Principal Field.
   

Settings for SSO with Kerberos SNC

When using SSO with Kerberos SNC additional steps are necessary:

1. Set constrained delegation for the Windows domain account under which the Xtract Universal Service runs.
   
2. Enter the SPN of the service account under which the SAP ABAP application server is running (SAP Service Account), e.g., SAPServiceERP/do_not_care.
   For more information about the partner name notation in SAP, see the SAP Help: Preparing the Primary Application Server Instance.

Related Links

• Microsoft Documentation: About Service Logon Accounts
• Microsoft Documentation: Service Principal Names
• Knowledge Base Article: Target Principal Field