Creating a Kerberos keytab using ktpass
Microsoft’s ktpass utility can be used to create a Kerberos keytab.
About this task
Procedure
To create a Kerberos keytab using ktpass, perform the following steps. Substitute appropriate values for the italicized text depending on the name of the identity account, its password or where the keytab should be created. Running this might produce warning messages, which you can ignore.
Results
The -kvno 0
option in the above command lines is there to avoid Specified
version of the key is not available
errors that will occur in some versions of the JVM if
the key version number (kvno) in the keytab does not match that in the Active Directory server
for the identity user’s password.
Be careful with the case of letters used for the identity account’s name as well as the
password in the ktpass command. The case of the name should be exactly as it is shown in the
User logon name (pre-Windows 2000) field of the identity account as shown in
Microsoft’s Active Directory Users and Computers MSC snap-in. Having the wrong case could cause
failures later and require that ktpass be rerun. Do not use the SPN (with the /
) name in
this command; use the name of the identity user (with the _
).
Additional help for ktpass can be had by entering this on the command line:
ktpass/help
Many setups for SPNEGO use the -mapuser
option with ktpass, but you should
not use this option. Using -mapuser
changes the userPrincipalName setting for
the identity user’s account and causes the Content Platform Engine’s
special TGT login to fail. If -mapuser
was used, or to find out whether it was
used inadvertently, run the Active Directory Users and Computers MSC snap-in, open the
Properties of the identity user account and select the Account pane. If the User login
name
field now reads something like FNCEWS/myhost
(notice the /
instead of a _
), then it should be changed.
Windows 2003 versions of ktpass do not include RC4-HMAC-NT as an option; if RC4-HMAC encryption is to be used, then a later version of ktpass must be run or the ktab method must be used to create the keytab.
Ktpass will create or append new keytab entries to the file specified in its
-out
option. This file might have to be moved in later steps so it is
accessible to the Content Platform Engine.