Using the Microsoft Service Identity Policy

Learn how to use the Microsoft Service Identity Policy to specify the SPN/UPN for a physical service or virtual service that requires Kerberos authentication.

Table of Contents

• Introduction
• Configuration

Introduction

The Microsoft Service Identity Policy is an Intermediary for Microsoft operational policy that is installed to the Policy Manager Management Console as part of the Intermediary for Microsoft product installation.

With this policy, you can specify the SPN/UPN for a physical service or virtual service that requires Kerberos authentication. The API gateway will overwrite the service endpoint identity in the WSDL with the value from this policy.

To install this policy, see Chapter 3: Installing Akana Intermediary for Microsoft Policy Manager Policy section of the Akana Intermediary for Microsoft® Install Guide for installation instructions.

Configuration

Let's take a quick walkthrough of the Microsoft Service Identity Policy configuration process to get you started.

• Step 1: Add Policy
• Step 2: Modify Policy
• Step 3: Configure Policy
• Step 4: Attach Policy
• Step 5: Test Policy

Step 1: Add Policy

You can create a Microsoft Service Identity Policy instance using Add Policy in the Policies > Operational Policies section. The summary screen will look like this:

Step 2: Modify Policy

When you Modify the Microsoft Service Identity Policy on the Policy Details page the initial policy will look like this:

Step 3: Configure Policy

Configure the Microsoft Service Identity Policy as follows:

User Principal Name

User principal name (UPN) lets you specify the user that this service is running under. In a Windows security use case, the consumer must communicate with the service using this identity as the service identity.

• Username—Enter the username that this service is running under. This is typically an Active Directory user or a local Windows Server account.
• Domain—Enter the domain that this user is a part of. If the user is a local Windows Server account, enter the hostname of that Windows Server machine.

Service Principal Name

Service principal name lets you specify the Service principal name (SPN) that this service is running under. In a Windows security use case, the consumer must communicate with the service using this service principal name.

• Service principal Name—Enter the SPN that this service is running under. This SPN be registered and mapped to the Windows identity that the service is running under.

Step 4: Attach Policy

After you have saved your policy you can attach it to an Intermediary for Microsoft virtual Service in Policy Manager or you can attach the policy at the Organization level and the policy will be active for all services defined within the organization.

Step 5: Test Policy

After you attached the Microsoft Service Identity Policy to a service, send a request to your service and view the results in your client. You can also go to the Services > Monitoring section to view the results for Logs (View Usage Record Details), Real Time Charts, and Historical Charts.

If you receive errors, review the log information for details. In most cases, errors are typically associated with specifying the wrong value for the Microsoft Service Identity Policy. Update the policy and retry.

Related Topics