Search Configuration for OpenText Content Server - Kerberos
Configure Content Server, Active Directory, and SPNs
1. Setup the Service Account
Configure Shinydocs Search Service Account:
Account Requirements:
The "Shinydocs Search" process must run as a domain user account or a group-managed service account (GMSA). For more details on GMSA, refer to the Microsoft documentation.
Grant Permissions to the Service Account:
Add the account to the local Administrators group on the server where Shinydocs Pro is installed.
Alternatively, configure the following specific permissions:
Read access to the server.
Add the account to the local "Users" group.
Full Control on the Shinydocs Search folder (default path:
C:\Program Files\Shinydocs Professional\Search
).Read access to the Shinydocs Search service certificate (default certificate:
localhost.localdomain
).
Grant Certificate Permissions
On the Shinydocs Pro server, open certlm.msc.
Navigate to Certificates - Local Computer > Personal > Certificates.
Locate and select
localhost.localdomain
.From the menu bar, choose Action > All Tasks > Manage Private Keys.
Click Add and select the service account.
Under "Allow", checkmark Read, then click Apply.
2. Active Directory User Setup
Configure Delegation
Open Active Directory Users and Computers.
Locate the Shinydocs Service Account.
Right-click the account and select Properties.
Go to the Delegation tab and:
Choose Trust this user for delegation to specified services only.
Select Use Kerberos only.
Add SPNs for Delegation
Click Add to open the delegation window.
Select Users or Computers and search for the target service account.
Add the required SPNs associated with the service.
Click Apply to save changes.
3. Setting Service Principal Names (SPNs)
SPN Configuration Steps
Open a command prompt or PowerShell with administrative rights.
Determine the hostnames of the Shinydocs Search servers:
For single-instance setups, use the machine hostname (e.g.,
search.example.local
).For load-balanced clusters, include all machine hostnames and the load balancer's DNS name (e.g.,
search01.example.local
,search02.example.local
,search.example.local
).
Run the following commands to add SPNs:
CODEsetspn -S HTTP/<hostname> <domain\service_account>
Repeat for each hostname.
4. Authorization to OTDS (SPNs)
Set SPNs for OTDS Hosts
Run the following commands for each OTDS-related hostname:
OTDS Hostname:
CODEsetspn -S HTTP/<otdsHostName> <domain\service_account>
OTDS Fully Qualified Domain Name (FQDN):
CODEsetspn -S HTTP/<otdsHostName.fqdn.com> <domain\service_account>
OTDS Load Balancer:
CODEsetspn -S HTTP/<otdsloadbalancer> <domain\service_account> setspn -S HTTP/<otdsloadbalancer.fqdn.com> <domain\service_account>
Troubleshooting
Kerberos logging can be enabled by editing the following registry key:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Parameters
Registry Value: LogLevel
Value Type: REG_DWORD
Value Data: 0x1
If the Parameters subkey does not exist, create it.
Further details at:https://docs.microsoft.com/en-us/troubleshoot/windows-server/identity/enable-kerberos-event-logging
The logging events will show in the System event log, in the Windows event viewer.
Ensure the SPNs have been replicated through the domain.
Ensure that the OTDS server is running as the content server user account created above, and negotiate authentication is enabled within OTDS.
Review the OTDS logs, otds.log, directory_access.log for any errors during authentication.
Shinydocs Search Setup for OpenText Content Server
1. Update Content Server Connector Settings
Navigate to the Application Settings menu.
Select Content Server Settings.
Update the Setup section:
Enter the Base URL of the Content Server instance (e.g.,
https://contentserver/otcs/cs.exe
).Enter the fully qualified domain name or IP address in OTDS Endpoint (e.g.,
https://otds-server:8443/otdsws
).Select the REST API version (typically Version 2).
Toggle the Enable Login Page option on.
Update the Navigation section as required:
Configure the behavior for Content Server item URLs:
Open Page (default).
Overview Page.
Properties Page.
Adjust the Performance section:
Update the Bulk Permission Check Size:
Default value: 25.
Increase if the system is fast.
Decrease if there is a lag in loading records after permission validation.
2. Enable Content Server Shortcuts
Open Content Server as an administrator.
Select Admin from the top navigation.
Navigate to Content Server Administration > Core System > Presentation > Configure Document Function.
[Recommended] Check Enable Document Overview Pages.
[Optional] Configure additional options based on organizational requirements.
Save changes.
For further details, refer to the embedded PDF for information on on-click behaviour for documents in OpenText Content Server.
Application_Note_-_On-click_behavior_for_documents_on_OpenText_Content_Server.pdf