In order for the KDC ("Key Distribution Center") Kerberos server to be able to authenticate users to the Gateway server, the gateway service must be registered with the KDC server by running setspn and specifying the hostname of the server on which it is running as the 'user' used in the setspn command.
Configure an additional DNS entry for your Gateway server
In order for this configuration to work, you must have a separate DNS entry for your Gateway Server as well.
On your DNS server, open the Forward Lookup Zones for your domain, right-click and create a new Host entry (A record) for the Gateway server.
Enter a name. This will be the DNS address that will be used to reach the Gateway server.
e.g.codygw.acme.com
Enter the IP address of the Gateway Server (without the port). If you're running the Gateway and the Files Advanced Servers on the same IP address, enter that IP address.
Select Create associated pointer (PTR) record and press Add Host.
Configure the SPN for the local Gateway Server
Go to the machine with Files Advanced.
Open the command prompt.
Setup the SPN for the Gateway Server:
If your Gateway Server is running as the Local System account, the command is:
setspn -s HTTP/gatewaydns.domain.com computername
For example, if you gateway server is running on host 'cody' in the domain and your DNS entry is codygw.acme.com , run this command: setspn -s HTTP/codygw.acme.com cody
If your gateway server is running on a non-default port (i.e., a port other than 443), you should also register an SPN using the port number; e.g., if your gateway server is running on port 444: setspn -s HTTP/codygw.acme.com:444 cody
If you haven't done so already, you have to change your desired Gateway Server's address for administration to be the Gateway Server DNS entry you created (i.e. codygw.acme.com).
Verify that the SPNs were set correctly for the Gateway
If you have a local volume for the local Gateway, you can verify that the SPNs and delegation are working by logging in with SSO. This must be done on a machine other than the Files Advanced server and the Domain Controller, otherwise SSO will not work.
Browse the local Gateway Server's volume. If that works, you can proceed forward, otherwise please verify you have successfully configured the proper SPNs for the proper objects.
Note: If you try a volume on a remote file server, you should get an Access Denied error.
Set Resource Based Constrained Delegation
Note: This type of Constrained Delegation is available only in domain controllers running in domain functional level 2012R2 or higher. Windows Server 2012 is the first to allow cross-domain Kerberos Constrained Delegation.
You can use Resource Based Constrained Delegation to grant users access to file servers or other network resources located in another domain.
Go to the domain controller for the domain where your file server resides and open PowerShell.
If your Gateway Server is running as the LocalSystem account:
$computer1 = Get-ADComputer -Identity <gateway_server_computer> -server <domain_controller_for_this_domain> e.g. $computer1 = Get-ADComputer -Identity cody -server dc.acme.com This command gets the computer object for the gateway server, specifies the AD Domain Services instance to connect to and saves this information in the $computer1 variable.
Set-ADComputer <file_server_computer> -PrincipalsAllowedToDelegateToAccount $computer1 e.g. Set-ADComputer cody -PrincipalsAllowedToDelegateToAccount $computer1 This command sets the property Principals Allowed To Delegate To Account of the file server computer object, to the computer object for the gateway server. This allows the gateway server's computer to delegate to the file server's computer.
If your Gateway Server is running as a User Account:
$user1 = Get-ADUser -Identity <logon_user_of_the_gateway_service> -server <domain_controller_for_this_domain> e.g. $user1 = Get-ADUser -Identity jane -server dc.acme.com This command gets the user object for the user that the gateway server runs as, specifies the AD Domain Services instance to connect to and saves this information in the $user1 variable.
Set-ADComputer <file_server_computer> -PrincipalsAllowedToDelegateToAccount $user1 e.g. Set-ADComputer cody -PrincipalsAllowedToDelegateToAccount $user1 This command sets the property Principals Allowed To Delegate To Account of the file server computer object, to the user object that the gateway server runs as. This allows the selected user to delegate to the file server's computer.
To verify the Gateway user account was added as an account allowed to be delegated credentials to, you can run the following: