Target Principal Field (TPN)
The following article describes how to use the Target Principal field when connecting the Xtract Universal Designer to an Xtract Universal Server.
The use of a Target Principal Name (TPN) is required to use Kerberos transport encryption or to authenticate Active Directory users. The Target Principal Name (TPN) can be either a User Principal Name (UPN) or a Service Principal Name (SPN).
Note
The Target Principal Name only needs to be changed in the Xtract Universal Designer login screen if the service account of the Xtract Universal Windows service is changed.
About Target Principal Name (TPN)
By default, the Xtract Universal Service is executed under the Local System Account.
In the Active Directory (AD), this user acts as a computer account. When dialing into a remote server where the service is not used in the local environment, both an UPN and an SPN can be used in the following form:
| Field | Syntax | Example |
|---|---|---|
| XU Server | [host].[domain]:[port] | theosoftw2012r2.theobald.local:8064 |
| Target Principal as UPN | [AD-user]@[domain] | svc_xusrv@theobald.local |
| Target Principal as SPN | [service class]/[host]@[domain] | HTTP/theosoftw2012r2.theobald.local@THEOBALD.LOCAL |
The Target Principal Name must correspond either to the UPN of the user under which the Xtract Universal Windows service is running, or to an SPN assigned to this user. The UPN or SPN of the Xtract Universal Windows service executes the write processes for the target environments in this context.
Accordingly, this user must have the necessary write permissions for the database.
Note
Xtract Universal can be used as a distributed application on a central application instance in the company network using appropriate UPNs or SPNs.
All users connect to this remote server in the company network using the locally installed Xtract Universal Designer.
Example
User Principal Name (UPN)
A User Principal Name identifies users in a domain. For more information, see Microsoft Documentation: User Principal Name. A UPN is assigned in the following form:
| Field | Syntax | Example |
|---|---|---|
| XU Server | [host].[domain]:[port] | TODD.theobald.local:8064 (or localhost:8064) |
| Target Principal | [AD-user]@[domain] | steffan@theobald.local |
Note
After changing the user context of the Windows service, the UPN or SPN for logging in to the Xtract Universal Server must also be adjusted.
Follow the steps below to configure the service to use with UPN:
- Open Windows Services (Local).
- Right-click the Xtract Universal service to open the service Properties.
- Open the Log-on tab and switch to This Account.
- Click [Browse] to look up Windows AD users.
- Click [Locations] and select Entire Directory.
- Select an existing UPN or SPN and confirm with [OK].
- Apply the changes by restarting the Xtract Universal service.
- Adjust the UPN in the Target Principal field when logging on to the Xtract Universal Designer.
Service Principal Name (SPN)
A Service Principal Name is an identifier for services within an authentication domain. For more information, see Microsoft Documentation: Service Principal Names. An SPN is assigned in the following form:
| Field | Syntax | Example |
|---|---|---|
| XU Server | [host].[domain]:[port] | TODD.theobald.local:8064 (or localhost:8064) |
| Target Principal | HOST/[hostname]@[domain] | HOST/TODD.theobald.local@THEOBALD.LOCAL |
The service class and host name are required for authenticating a service instance to a logon account. Domain Admin rights are required for processing Manage Service Accounts in Active Directory Users and Computers.
Windows Service does not Start
When a service does not start, configure the service to use a user account with the following rights:
- Local Security Policy > Local Policies > User Right Management: Log on as a service
- Permissions for the installation folder and subfolders: Modify
- HTTP URL Access Control List e.g.,
urlacl url=https://+:80/MyUri user=DOMAIN\user
Related Links
- Microsoft Documentation: User Principal Name
- Microsoft Documentation: Service Principal Names
- Enable Secure Network Communcation (SNC)via X.509 Certificate