The Service Principal Name

Each server instance must register a unique service principal name (SPN) to identity itself, and the client must specify the same SPN when it connects to the server.

An SPN for an instance of SPSS® Modeler Server has the form:

     modelerserver/<host>:<port>

For example:

     modelerserver/jdoemachine.spss.com:28054

Note that the host name must be qualified with its DNS domain (spss.com in this example), and the domain must map to the Kerberos realm.

The combination of host name and port number makes the SPN unique (because each instance on a given host must listen on a different port). And both client and server already have the host name and port number and so can construct the appropriate SPN for the instance. The additional configuration step required is to register the SPN in the Kerberos database.

Registering the SPN on Windows

If you are using Active Directory as your Kerberos implementation, use the setspn command to register the SPN. To run this command, the following conditions must be satisfied:

  • You must be logged on to a domain controller
  • You must run the command prompt with elevated privileges (run as administrator)
  • You must be a member of the Domain Admins group (or have had the appropriate permission delegated to you by a domain administrator)

For more information, refer to the following articles:

For the default instance, listening on the standard port (28054, for example) and running under the Local System account, you must register the SPN against the server computer name. For example:

     setspn -s modelerserver/jdoemachine.spss.com:28054 jdoemachine

For each subsequent (profile) instance, listening on a custom port (for example, 29000) and running under an arbitrary user account (for example, jdoe) with the option start_process_as_login_user set to Y, you must register the SPN against the service user account name:

     setspn -s modelerserver/jdoemachine.spss.com:29000 jdoe

Note that in this case (when the service account is other than Local System), registering the SPN is not sufficient to enable a client to connect. Additional configuration steps are described in the next section.

To see which SPNs are registered to the account jdoe:

     setspn -l jdoe

Registering the SPN on UNIX

If you are using Active Directory as your Kerberos implementation, you can use the setspn command as described in the previous Windows section; this assumes you have already created the computer or user account in the directory. Or you can use ktpass, as illustrated in Configuring IBM SPSS Modeler Server on UNIX and Linux.

If you are using some other Kerberos implementation, then use the Kerberos administration tool to add the service principal to the Kerberos database. To convert the SPN to a Kerberos principal you must append the name of the Kerberos realm. For example:

     modelerserver/jdoemachine.spss.com:28054@MODELERSSO.COM

Add this same principal and password to the server's keytab. The keytab must contain an entry for every instance running on the host.