Applies To:

GroupID 9 and above


While configuring a second instance of GroupID in your environment (whether as a client or as a new GroupID server with existing database), the following error may occur when connecting to the parent GroupID machine:


IIS passes the Negotiate security header when Windows Integrated authentication is used to authenticate client requests. The Negotiate security header lets clients select between Kerberos authentication and NTLM authentication. In this scenario, we have not set SPN, so NTLM is being used whereas it must use Kerberos. For this reason, we are getting the error.


To enable the Negotiate process to select the Kerberos protocol for network authentication, the client application must provide an SPN, a user principal name (UPN), or a NetBIOS account name as the target name. If the client application does not provide a target name, the Negotiate process cannot use the Kerberos protocol. If the Negotiate process cannot use the Kerberos protocol, the Negotiate process selects the NTLM protocol.

An SPN is a name by which a client uniquely identifies an instance of a service. If you install multiple instances of a service on computers throughout a forest, each service instance must have its own SPN. To access the IIS application by using the NetBIOS name, use the following commands on the parent GroupID machine:

setspn -a http/ NETBIOS name of GroupID machine domain\username
(username must be the service account under which GroupIDApp pool is running)
setspn -a http/ FQDN_OF_IIS_SERVER machine domain\username

This should resolve the issue. If not, contact Imanami support at


How to use SPNs when you configure Web applications that are hosted on Internet Information Services