WCCILdata - PARAM,SEVERE, 7/auth, Manager (SYS: 1 Event -num 0 CONN: 1) / User YOURDOMAIN\HOST$ is not authorized to connect

When WinCC OA user management is configured to use kerberos authentication and the startup of event manager fails with "PARAM,SEVERE, 7/auth, Manager (SYS: 1 Event -num 0 CONN: 1) / User YOURDOMAIN\HOST$ is not authorized to connect" please note:

WinCC OA kerberos setup requires some prerequisites which needs to be prepared on the operating system side.

1. The service principal name (SPN) for the WinCC OA service. This string is interpreted on the WinCC OA side as case sensitive. Please enter your SPN uppercase, even when windows does not distinguish the format, WinCC OA does. When a mixed case or lower case SPN is already set, please remove it and set the new upper case SPN.
2. The config entry kerberosRootGroup needs to point to an existing group.
3. The host account (HOST$) where WinCC OA runs on must be a member of this group. When the host account is not member of this group, the service will fail to start.

Any time you change credentials (e.g. group membership) you need to refresh the local cache of the workstation OS (Windows). For user accounts a relogin is sufficient. For refreshing host account related setup (SPN and group membership) you need to reboot your windows workstation.