After installation of Xtract Universal, the Xtract Universal service runs under the Local System account.
In the following scenarios the service must run under a dedicated Windows domain user account instead of the Local System account:
- Enabling Kerberos authentication for the Xtract Universal web server.
- Enabling Windows authentication for an Xtract Universal destination that allows Windows credentials for log on (e.g., SQL Server destination, PostgreSQL destination).
- Enabling SSO with Kerberos SNC.
- Enabling SSO with SAP Logon Tickets.
This section describes how to run the Xtract Universal service under a service account.
Note: As of Xtract Universal version 5.0 SAP passwords are encrypted with a key that is derived from the Windows account that runs the XU service. The passwords can only be accessed from the same service account, when restoring a backup or moving the files to a different machine. If the service account changes, passwords need to be re-entered manually.
Basic settings #
Create a Windows AD service account and assign an SPN (Service Principle Name) to the service account in the following format:
HTTP/[FQDN of XU Server]. Using the
setspncommand the SPNs of a user account can be checked.
Grant access rights on Xtract Universal’s installation folder and all sub folders to the service account as shown in the following screenshot:
If applicable, make sure the service account has Read access to the private key of the X.509 certificate used by Xtract Universal.
Let the Xtract Universal service run under the service account. Make sure the correct domain is used (e.g., .company.local instead of .company.com).
In the Xtract Universal Designer startup window “Connect to Xtract Universal Server”, set Windows credentials or Custom Credentials (Kerberos authentication) as Authentication. Enter the User Principal Name (UPN) of the service account in the Target Principal field as described in the knowledge base article “How to use target principal field”.
Settings for SSO with Kerberos SNC #
When using SSO with Kerberos SNC additional steps are necessary:
- Set constrained delegation for the Windows domain account under which the Xtract Universal service runs.
- Enter the SPN of the service account under which the SAP ABAP application server is running (SAP Service Account), e.g., SAPServiceERP/do_not_care. For more information about the partner name notation in SAP, see the SAP Help portal.