Using the Microsoft Service Identity Policy
Learn how to use the Microsoft Service Identity Policy to specify the SPN/UPN for a physical service or virtual service that requires Kerberos authentication.Managing Policies Intermediary for Microsoft Policies
Table of Contents
The "Microsoft Service Identity Policy" is an Intermediary for Microsoft operational policy that is installed to the Policy Manager Management Console as part of the Intermediary for Microsoft product installation.
With this policy, you can specify the SPN/UPN for a physical service or virtual service that requires Kerberos authentication. The API gateway will overwrite the service endpoint identity in the WSDL with the value from this policy.
To install this policy, see Chapter 3: Installing SOA Software Intermediary for Microsoft Policy Manager Policy section of the SOA Software Intermediary for Microsoft® Install Guide for installation instructions.
Let's take a quick walkthrough of the Microsoft Service Identity Policy configuration process to get your started.
Step 1: Add Policy
You can create a Microsoft Service Identity Policy instance using Add Policy in the Policies > Operational Policies section. The summary screen will look like this:
Step 2: Modify Policy
When you Modify the Microsoft Service Identity Policy on the Policy Details page the initial policy will look like this:
Step 3: Configure Policy
Configure the Microsoft Service Identity Policy as follows:
User Principal Name
User principal name (UPN) let's you specify the user that this service is running under. In a Windows security use case, the consumer must communicate with the service using this identity as the service identity.
- Username - Enter the username that this service is running under. This is typically an Active Directory user or a local Windows Server account.
- Domain - Enter the domain that this user is a part of. If the user is a local Windows Server account, enter the hostname of that Windows Server machine.
Service Principal Name
Service principal name let's you specify the Service principal name (SPN) that this service is running under. In a Windows security use case, the consumer must communicate with the service using this service principal name.
- Service principal Name - Enter the SPN that this service is running under. This SPN be registered and mapped to the Windows identity that the service is running under.
Step 4: Attach Policy
After you have saved your policy you can attach it to an Intermediary for Microsoft virtual Service in Policy Manager or you can attach the policy at the Organization level and the policy will be active for all services defined within the organization.
Step 5: Test Policy
After you attached the Microsoft Service Identity Policy to a service, send a request to your service and view the results in your client. You can also go to the Services > Monitoring section to view the results for Logs (i.e., View Usage Record Details), Real Time Charts, and Historical Charts. Refer to the Policy Manager Online Help (i.e., Help button) for more information on the using the monitoring functions.
If you receive errors, review the log information for details. In most cases, errors are typically associated with specifying the wrong value for the Microsoft Service Identity Policy. Update the policy and retry.
For use case information on this policy refer to the following topic on the Akana Customer Support site: