Creating a Kerberos keytab using ktpass

Microsoft’s ktpass utility can be used to create a Kerberos keytab.

About this task

Ktpass can be found in Microsoft’s Support tools download for the appropriate release of Windows. Run it from a command prompt on the Content Platform Engine system if Windows or, if not running on Windows, run ktpass on the Active Directory system and move the resulting keytab file to the Content Platform Engine system.

Procedure

To create a Kerberos keytab using ktpass, perform the following steps. Substitute appropriate values for the italicized text depending on the name of the identity account, its password or where the keytab should be created. Running this might produce warning messages, which you can ignore.

  1. Enter a command line entry similar to this for DES (all on one line). 
    ktpass  -princ  FNCEWS_mysys@MYDOM.COM  -pass  mypassword
 -crypto  DES-CBC-MD5  -ptype  KRB5_NT_PRINCIPAL  -kvno 0  -out c:\x\my.keytab
  2. Or enter the following for RC4-HMAC encryption (all on one line): 
    ktpass  -princ  FNCEWS_mysys@MYDOM.COM  -pass  mypassword
 -crypto  RC4-HMAC-NT -ptype  KRB5_NT_PRINCIPAL  -kvno 0  -out c:\x\my.keytab

Results

The -kvno 0 option in the above command lines is there to avoid Specified version of the key is not available errors that will occur in some versions of the JVM if the key version number (kvno) in the keytab does not match that in the Active Directory server for the identity user’s password.

Be careful with the case of letters used for the identity account’s name as well as the password in the ktpass command. The case of the name should be exactly as it is shown in the User logon name (pre-Windows 2000) field of the identity account as shown in Microsoft’s Active Directory Users and Computers MSC snap-in. Having the wrong case could cause failures later and require that ktpass be rerun. Do not use the SPN (with the /) name in this command; use the name of the identity user (with the _).

Additional help for ktpass can be had by entering this on the command line: ktpass/help

Many setups for SPNEGO use the -mapuser option with ktpass, but you should not use this option. Using -mapuser changes the userPrincipalName setting for the identity user’s account and causes the Content Platform Engine’s special TGT login to fail. If -mapuser was used, or to find out whether it was used inadvertently, run the Active Directory Users and Computers MSC snap-in, open the Properties of the identity user account and select the Account pane. If the User login name field now reads something like FNCEWS/myhost (notice the / instead of a _), then it should be changed.

Windows 2003 versions of ktpass do not include RC4-HMAC-NT as an option; if RC4-HMAC encryption is to be used, then a later version of ktpass must be run or the ktab method must be used to create the keytab.

Ktpass will create or append new keytab entries to the file specified in its -out option. This file might have to be moved in later steps so it is accessible to the Content Platform Engine.