Windchill Service Principal
The service principal identity is used in machine-to-machine(M2M) operations. This identity is used to handle service accounts. A user should not be able to log in to Windchill user interface as a service principal. It is not recommended to use trust by IP or Host for service principal.
JNDI Adapter Configurations and Mappings
Service principal related information is stored in the WTUser class. To support this, attributes are added to the WTPrincipal class. The adapter properties are mapped to the corresponding LDAP entities. The attributes of the WTPrincipal class are listed:
• principalType — By default, this attribute is mapped to employeeType field. You can map this attribute to any LDAP field that is used to identify service principal. You can configure the value of this attribute as required, the default value is serviceprincipal. An example of the configuration is given here:
#configuration for principalType as departmentNumber and value as sp
"com.ptc.ptcnet.EnterpriseLdap.windchill.mapping.user.principalType=departmentNumber"
"com.ptc.ptcnet.EnterpriseLdap.windchill.config.serviceprincipal.value=sp"
• Description — You can provide description for the service principal that is created.
With the same configurations, attribute mapping can be viewed at Site 
> > page. An example of the attribute mapping is shown below:
> > page. An example of the attribute mapping is shown below:
Service Principal entry in LDAP
When a service principal is created in the LDAP, the LDAP fields appear as shown below:
 | To determine if a reference is to a service principal, use the isServicePrincipal API. |
Search Capability for Service Principal
Service principal can be searched only using the search criteria type as User. The service principal search is enabled on all Find Participant pickers. Although service principals do not have an e-mail address, they are still searchable within the search pickers that require an e-mail address. An example of this is Recent Projects search picker.
Reconnect Disconnected Service Principal
You can reconnect a disconnected service principal to any service principal or a user principal that is not persisted in Windchill database. For more information on reconnecting disconnected principals, see Managing Disconnected Participants.
Designating an User as a Service Principal
When migrating from an older system where a user was initially created but now needs to be designated as a service principal, perform either of the following steps:
• For a writable LDAP-configured system, navigate to Edit User from the right-click actions menu of the user to be modified, and then select Designate as Service Principal.
• For a read-only LDAP-configured system, check the details of the user entry in LDAP and update the attribute that you have configured for the JNDI adapter. This attribute indicates that the LDAP entry is intended for a service principal.
Loader for Service Principal
Loader support is provided to create a single or multiple service principals. The attribute value for csvPrincipalType is not case sensitive. When a service principal is created through the loader file, LDAP entries are generated as per the LDAP selection in the loader file.
<?xml version="1.0"?><!DOCTYPE NmLoader SYSTEM "standard13_1.dtd">
<NmLoader>
<csvUser handler=-wt.load.LoadUser.createuser">
<csvuse></csvuser>
<csvnewUser>xxyyzz</csvnewuser>
<csvwebServer>xxx</csvwebServer>
<csvfullName></csvfullName>
<csvLast></csvLast>
<csvLocale>US</csvLocale>
<csvEmail>xyz@xxx.com</csvEmail>
<csvDescríption></csvDescríption>
<csvTitle>xyz</csvTitle>
<csvOrganization>Demo Organízatio</csvOrganization>
<csvStreet1></csvStreet1>
<csvStreet2></csvStreet2>
<csvCity></csvCity>
<csvState></csvState>
<csvCountry></csvCountry>
<csvZipCode></csvZipCode>
<csvIgnore></csvIgnore>
<csvpassword></csvpassword>
<csvDirectoryService>com.xxx .xxxnet .EnterpriseLdap</csvDirectoryService>
<csvPrincipaltype><serviceprincipal</csvPrincipaltype>
</csvUser>
</NmLoader>
<NmLoader>
<csvUser handler=-wt.load.LoadUser.createuser">
<csvuse></csvuser>
<csvnewUser>xxyyzz</csvnewuser>
<csvwebServer>xxx</csvwebServer>
<csvfullName></csvfullName>
<csvLast></csvLast>
<csvLocale>US</csvLocale>
<csvEmail>xyz@xxx.com</csvEmail>
<csvDescríption></csvDescríption>
<csvTitle>xyz</csvTitle>
<csvOrganization>Demo Organízatio</csvOrganization>
<csvStreet1></csvStreet1>
<csvStreet2></csvStreet2>
<csvCity></csvCity>
<csvState></csvState>
<csvCountry></csvCountry>
<csvZipCode></csvZipCode>
<csvIgnore></csvIgnore>
<csvpassword></csvpassword>
<csvDirectoryService>com.xxx .xxxnet .EnterpriseLdap</csvDirectoryService>
<csvPrincipaltype><serviceprincipal</csvPrincipaltype>
</csvUser>
</NmLoader>
##loader script
windchill wt.load.LoadFromFile -d<loader_name> -u wcadmin -p wcadmin -CONT_PATH /