Kerberos Service Principal Name Configuration Issues

Kerberos authentication principals (such as Active Directory) require Service Principal Names (SPNs) to be defined which tells the domain controller to explicitly allow a user to run a service. This will cause problems with any sort of Windows authentication & ArcGIS Server which runs the "ArcGIS Server Object Manager Service" typically as the user "ArcGISSOM".

A solution to this problem is to create a Service Principal Name for the ArcGIS Server Users (ArcGISSOM, ArcGISSOC, ArcGISWebServices) for each server that will host the SOM, SOC, or Web Server components for ArcGIS Server.

The command to add an SPN to a user account is as follows (Windows 2008): setspn.exe -A HOST/ 

Example: Create SPNs for Single Server Deployment
Note: this must be run as a Domain Administrator on the Domain Controller

setspn -A HOST/gisserver ArcGISSOM setspn -A HOST/gisserver ArcGISSOC setspn -A HOST/gisserver ArcGISWebServices

Example: Create SPNs for Multiple Server Deployment
Note: this must be run as a Domain Administrator on the Domain Controller

setspn -A HOST/gisserver1 ArcGISSOM setspn -A HOST/gisserver1 ArcGISSOC setspn -A HOST/gisserver1 ArcGISWebServices setspn -A HOST/gisserver2 ArcGISSOM setspn -A HOST/gisserver2 ArcGISSOC setspn -A HOST/gisserver2 ArcGISWebServices setspn -A HOST/gisserver3 ArcGISSOM setspn -A HOST/gisserver3 ArcGISSOC setspn -A HOST/gisserver3 ArcGISWebServices