Setting up the Windows Domain Controller

Last Updated : Jun 10, 2026 |

About this task

Use this procedure to add the Avaya Aura® Web Gateway SPN to a domain user on the Windows Domain Controller or the Active Directory server. The SPN must be unique across the domain. To avoid issues with duplicated SPNs, track of any SPNs assigned to users.

Avaya Aura® Web Gateway supports IWA for multiple domains. To configure IWA for multiple domains that are in different Active Directories, repeat this procedure on each Active Directory.

Important:

Enter all commands exactly as shown in this procedure, and use the following guidelines:

  • The hostname used to access the Tomcat server must match the host name in the SPN exactly. Otherwise, authentication fails.

  • The server must be part of the local trusted intranet for the client.

  • The SPN must be formatted as HTTP/<host name> and must be exactly the same everywhere.

  • The port number must not be included in the SPN.

  • Only one SPN must be mapped to a domain user.

  • The Kerberos realm is always the uppercase equivalent of the DNS domain name. For example, EXAMPLE.COM.

  • Avaya Aura® Web Gateway supports IWA for parent and child domains. However, you cannot assign an SPN and generate a tomcat.keytab file for the child domain because the SPN can only be mapped to a single user in a forest. Here, you need to assign the SPN and generate a tomcat.keytab file for the parent domain.

Procedure

  1. Create a new IWA service account.

    Do not select an account associated with an existing user.

  2. Run the following command to attach the SPN to the domain name:

    setspn -S HTTPS/<FRONT-END FQDN> <Domain user login>

    In the following example, <FRONT-END FQDN> is csa.example.com and <Domain user login> is csa.example.com:

    setspn -S HTTP/csa.example.com csa_user
    Important:

    • If you are using Active Directory 2003, you must use setspn -A instead of setspn -S.

    • When you use setspn -S, the Active Directory server searches for other users with the same SPN assigned. If the server finds a duplicated SPN, see step 3.

  3. Optional To remove a duplicated SPN from another user, run the following command:

    setspn -d <SPN> <old user>

  4. Run one of the following commands to generate a tomcat.keytab file:

    • If FIPS is disabled on Avaya Aura® Web Gateway, run the following command:

      ktpass /out c:\tomcat.keytab /mapuser <Domain User Login>@<Kerberos realm> /princ HTTP/<FRONT-END FQDN>@<Kerberos realm> /ptype KRB5_NT_PRINCIPAL /pass +rndPass /crypto all /kvno 0

    • If FIPS is enabled on Avaya Aura® Web Gateway, run the following command:

      ktpass /out c:\tomcat.keytab /mapuser <Domain User Login>@<Kerberos realm> /princ HTTP/<FRONT-END FQDN>@<Kerberos realm> /ptype KRB5_NT_PRINCIPAL /pass +rndPass /crypto <Encryption Type> /kvno 0

      Where <Encryption Type> can be one of the following:

      • AES256–SHA1: If you want to use the AES256-SHA1 encryption type.

      • AES128-SHA1: If you want to use the AES128-SHA1 encryption type.

      The encryption type must correspond to the encryption type configured for the domain user that is mapped to the Avaya Aura® Web Gateway SPN. For more information, see Enabling encryption for the domain user.

      AES256–SHA1 is the preferred encryption type.

    The following example displays the command for generating a keytab file in FIPS mode. In this example, <Domain User Login> is csa_user, <Kerberos realm> is EXAMPLE.COM, and <FRONT—END FQDN> is csa.example.

    ktpass /out c:\tomcat.keytab /mapuser csa_user@EXAMPLE.COM /princ HTTP/csa.example.com@EXAMPLE.COM /ptype KRB5_NT_PRINCIPAL /pass +rndPass /crypto AES256-SHA1 /kvno 0
  5. Transfer the generated tomcat.keytab file to the Avaya Aura® Web Gateway server using the OAMP administration portal.

    Since this is a credentials file, handle it securely and delete the original file after this file is imported into the Avaya Aura® Web Gateway server. You can generate and re-import a new tomcat.keytab file anytime.

Next Steps