Configuring the Active Directory domain controller

Modify the configuration of the Active Directory domain controller:

  1. On the server, check whether the binary files needed in the configuration of the domain controller are available: "reg.exe", "setspn.exe", "ktpass.exe" and "ldifde.exe".
  2. If they are not available, retrieve them (see Requirements according to the version of Microsoft Windows Server) and save them in a shared folder which, if necessary, must be added to the PATH environment variable. Example “C:\SPNEGO\”.
  3. Retrieve the spnego.bat script in your Mystormshield client area (Downloads > Stormshield Network Security > Tools menu) and save it in the same folder as in Step (2).
  4. In the command prompt, go to the directory containing the spnego.bat script (the files generated by the script will be added to the current directory).
  5. Run the spnego.bat script using the command:
    Spnego.bat <FW> <dns> <AD_Domain> <password> <file>



    • <FW> represents the name of the firewall on which you are configuring SPNEGO. This name is identical to the entry made in the DNS server. Stormshield recommends that you enter this parameter in UPPERCASE.
    • <dns> represents the DNS domain name (in the configuration of the DNS server below, the DNS domain name would be “”). This parameter MUST be entered in LOWERCASE.
    • <AD_Domain> represents the Microsoft Active Directory domain name handled by the domain controller. In most cases, this Microsoft Active Directory domain name is the same as the DNS domain name. This parameter MUST be entered in UPPERCASE.
    • <password> represents the password that you have chosen and which will be used for the <FW> user created and the SPNEGO service. This password MUST NOT contain more than 14 characters.
    • <file> represents the name of a file that you have chosen. This file contains an encryption key that needs to be installed during the configuration of the firewall.
  6. Before continuing with the configuration, save the information indicated after the spnego.bat script has been run:

values to insert in the manager

  • SPN is the name of the main service in the SPNEGO configuration. In the example given, this SPN would be “HTTP/”.
  • DOMAIN is the Microsoft Active Directory domain name in the SPNEGO configuration. In the example given, this DOMAIN would be “STORMSHIELD.COM”.

This information can be found in the log file stored in the same folder as the script.


Example of the details of the user created on the domain controller using the spnego.bat script.