Deciding which accounts to assign the SPNs to

You must decide which Active Directory account to assign a Domino® server's SPNs to. The Domino® server must log on under this account as a Microsoft Windows service.

About this task

Best practice is to assign SPNs to a separate, named account in Active Directory. In this case, the account must be a member of the local administrators group on the Domino® server computer.

In some scenarios, you can instead assign SPNs to the default account that was created for a Domino® computer when it was registered in Active Directory. In Active Directory this account name is the computer name (for example, domino1); on the computer it is referred to as the Local System account. Using the Local System account can be a viable strategy if there is not already a named account that can be used, or if your Windows administrator does not want to add a named account to Active Directory.

Proper Windows single sign-on operation requires that a specific SPN be assigned to one Active Directory account only. If Web clients can access two or more Domino® servers through one URL, you must assign the SPN associated with that URL to one account that the Domino® servers share and not to a server's default Local System account.

For example, if a load balancer distributes requests for www.renovations.com to either server domino1 or server domino2, you must assign an SPN for www.renovations.com to a named account in Active Directory that both servers use to log on to Active Directory, and not to a Local System account.

You must assign SPNs to a named account rather than the Local System account if:

  • your SSO environment uses an IP sprayer to load balance requests among Domino® servers;
  • your SSO environment is configured through a Web Site document in which multiple Domino® servers in the Domino servers that host this site field share a single host listed in the Host names or addresses mapped to this site field.