Please ensure Javascript is enabled for purposes of website accessibility
Powered by Zoomin Software. For more details please contactZoomin

AVEVA Enterprise Resource Management

TABLE OF CONTENTS

Setup domain service account

Save PDF
Save selected topicSave selected topic and subtopicsSave all topics
Share
Share to emailCopy topic URL
  • Last UpdatedMay 07, 2026
  • 2 minute read

Run the AVEVA Enterprise Resource Management server environment using a domain service account. Run the IIS application pool and Windows services using the same account. NetworkService is not used from AVEVA Enterprise Resource Management 18.0. It is not recommended to use a local user account since the authentication is done using NTLM instead of Kerberos.

You can use any username for the setup of the application server environment.

Account Privileges

The service account is granted permissions based on the principle of least privilege. The service account is not granted local administrator privileges.

To grant Log on as a service right

  1. Open Local Security Policy.

  2. In the console tree, double-select Local Policies, and then select User Rights Assignments.

  3. In the details pane, double-select Log on as a service.

  4. Click Add User or Group, and then add the appropriate account to the list of accounts that possess the Log on as a service right.

Additionally, the account needs access to the directories, see Setup Directory access.

Account Service Principal Name (SPN)

When using a domain service account for Kerberos authentication, ensure that an Service Principal Name (SPN) is created for the account and that it matched the SPN used in AVEVA Enterprise Resource Management, which follows the pattern:

AVEVA_ERM/<hostname>:<port>

The hostname and port are the same as used to configure the AVEVA Enterprise Resource Management client MSI installation. The hostname is the hostname or full DNS name of the application server and port is the net.tcp port for the given environment.

AVEVA Enterprise Resource Management Deployment Manager attempts to create the SPN automatically during deployment. However, this may fail if the user lacks sufficient privileges or if the SPN is already assigned to another service account. In such cases, create the SPN manually by running the following command in a console with domain administrator privileges:

setspn.exe -S AVEVA_ERM/<hostname>:<port> <domain>\<service-account>

Use the following command to verify that the SPN is created correctly in Active Directory. The output lists the service account with the AVEVA_ERM/<hostname>:<port>record:

setspn.exe -Q AVEVA_ERM/<hostname>:<port>

If the SPN does not exist in Active Directory, AVEVA Enterprise Resource Management cannot use Kerberos authentication and falls back to NTLM authentication. However, if the SPN exists but is not associated with the service account running the application pool, the AVEVA Enterprise Resource Management fails to start.

After a user logs in to the AVEVA Enterprise Resource Management client application, an Event Viewer entry is created on the application server in Security Logs, with the Event ID as 4624 and Task Category as Logon. The Detailed Authentication Information section indicates whether Kerberos or NTLM authentication is used.

It is strongly recommended to configure the SPN so that Kerberos authentication is used, as NTLM may cause performance issues, particularly when there is high latency between the AVEVA Enterprise Resource Management application server and the domain controller.

TitleResults for “How to create a CRG?”Also Available in