A LoadMaster trusted user must be created in the Windows domain (Active Directory). This trusted administrator user account is used to get tickets on behalf of users and services when a password is not provided. The Active Directory account for the trusted user is a user account, but it represents the LoadMaster.

Some guidelines regarding configuring the trusted user are listed below:

  • The User Principal Name (UPN) (User logon name) must be like a Service Principal Name (SPN), for example host/<FQDN>.UPNSuffix, like the example in the screenshot above; host/lm65.kempdev.net
Note: The default UPN suffix must be used.
  • The pre-Windows 2000 user logon name has to be the name part of the FQDN that is part of the UPN above, for example KempDEV\
Note: A DNS entry representing the FQDN must be created, ideally with a PTR record for reverse lookup.
Note: In the LoadMaster, the Kerberos Trusted User Name is set to the FQDN name above, which should be the host name of the LoadMaster.

Note: To open the user Properties screen, right-click the user and click Properties.
  • The password should be set to never expire
  • The user must have permissions to perform protocol transition. Refer to the Configure Delegation for the User Entry section for further information on this.

  • The user must be a member of the relevant domain

In the example, the items are mapped as follows:

Item

Mapping

Additional Information

Username

lm75

Domain

kemptech.net

Kerberos Realm

kemptech.net

Default UPN-suffix

kemptech.net

LoadMaster FQDN

lm75.kemptech.net

DNS entry

FQDN name/LoadMaster hostname

lm75

LoadMaster SPN

host/lm75.kemptech.net

UPN of trusted user

host/lm75.kemptech.net

User logon name

Trusted user logon name

kempdev/lm75

User logon name (pre-Windows 2000)

Kerberos Trusted User Name

Lm75