Unfortunately over the weekend our AD guys changed some things and it broke our Single Sign-on. What they did is changed all of our AD account from one UPN to another. For example lets say the old was @ourdomain.com but now it's been changed to @newourdomain.com. This one change seems to have caused our issue and we have tried get everything reconfigured. One of the first things that was tried was to re-register the account under the new UPN but I think that only compounded the problem due to not fully understanding how this all works. So I need a little help with all this because after re-reading all of the Adobe documentation again I realized that I'm not sure how this all works in the first place and it's been awhile since this was done.
We have a user in AD with a password that never expires, and we selected the Use DES encryption types for this account.
On the domain controller we ran the following ktpass command
ktpass -princ HTTP/TheLCDevServer.ourdomain.com @OURDOMAIN.COM -mapuser ADuserAccount –pass ADuserPassword –out ADuserAccount.keytab –crypto des-cbc-md5
I understand the command in that the values are described as follows:
-princ: specifies the Service Principal Name (SPN) the name of the host seen from the browser.
TheLCDevServer.ourdomain.com: Fully qualified name of the LiveCycle server.
OURDOMAIN.COM: The Active Directory realm for the domain controller. This was determine by going to the server and check the computer name, also it must be in uppercase characters.
-mapuser: The login name of the user account that was created in AD.
-pass: is the password of the user
-out: is the keytabe file that is created
-crypto: specifies the cryptographic algorithm that is to be used. (this part of the command isn't mandatory)
But I now seem to have a couple of questions about the ktpass command.
1. In the LC documentation it states that the host is the fully qualified name of the LiveCycle ES server but we have 2 LiveCycle ES server. When we did this command the first time we did it with the fully qualified name of the development sever which is fine but how do I add another Host? Specifically my Production server because this was working on Production, I think we just need to tell AD to map another host but I would like this confirmed also I believe that the command to map it would be setspn -a HTTP/anotherHost accountname
2. Lastly in the Adobe documentation (Administering LiveCycle ES http://help.adobe.com/en_US/livecycle/8.2/admin_guide.pdf) on page 43 where it states “Fully qualified name of the LiveCycle ES server or any unique URL.” could this be an alias URL. For example when we first created everything we used the fully qualified name of our development box (mybox.ourdoman.com@ourdomain.com), could I instead use an alias URL (example: eformstest.com@ourdomain.com).
