Deciding which accounts to assign the SPNs to

Best practice is to assign SPNs to a separate, named account in Active Directory. In this case, the account must be a member of the local administrators group on the Domino server computer.

In some scenarios, you can instead assign SPNs to the default account that was created for a Domino computer when it was registered in Active Directory. In Active Directory this account name is the computer name (for example, domino1); on the computer it is referred to as the Local System account. Using the Local System account can be a viable strategy if there is not already a named account that can be used, or if your Windows administrator does not want to add a named account to Active Directory.

Proper Windows single sign-on operation requires that a specific SPN be assigned to one Active Directory account only. If Web clients can access two or more Domino servers through one URL, you must assign the SPN associated with that URL to one account that the Domino servers share and not to a server's default Local System account.

For example, if a load balancer distributes requests for www.renovations.com to either server domino1 or server domino2, you must assign an SPN for www.renovations.com to a named account in Active Directory that both servers use to log on to Active Directory, and not to a Local System account.

You must assign SPNs to a named account rather than the Local System account if:

• your SSO environment uses an IP sprayer to load balance requests among Domino servers;
• your SSO environment is configured through a Web Site document in which multiple Domino servers in the Domino servers that host this site field share a single host listed in the Host names or addresses mapped to this site field.