Creating a keytab file

You can create one user account to authenticate at multiple Central Node servers. Service principal name (SPN)To do so, you must create a keytab file that contains service principal names (hereinafter also SPN) for each of these servers. When you create the keytab file, you must use an attribute to generate a salt (hash function input modifier).

The generated salt must be saved in any convenient way for adding more SPNs to the keytab file in the future.

You can also create a separate Active Directory user account for each Central Node server for which you want to set up Kerberos authentication.

To create a keytab file using one user account:

  1. On the domain controller, in the Active Directory Users and Computers snap-in, create a user account (for example, with control-user as its name).
  2. If you want to use the AES256-SHA1 encryption algorithm, in the Active Directory Users and Computers snap-in:
    1. Open the properties of the user account that you have created.
    2. On the Account tab, select the This account supports Kerberos AES 256 bit encryption check box.
  3. Use the ktpass utility to create a keytab file for the control-user user. To do so, run the following command on the command line:

    C:\Windows\system32\ktpass.exe -princ HTTP/<fully qualified domain name (FQDN) of the Central Node server>@<realm name of the Active Directory domain in uppercase> -mapuser control-user@<realm name of the Active Directory domain in uppercase> -crypto AES256-SHA1 -ptype KRB5_NT_PRINCIPAL -pass * +dumpsalt -out <path to the file>\<file name>.keytab

    The utility requests the control-user password when executing the command.

    The SPN of the selected server is added to the created keytab file. The generated salt is displayed on screen: Hashing password with salt "<hash value>".

  4. Add an SPN record for each subsequent Central Node server to the keytab file. To do so, run the following command:

    C:\Windows\system32\ktpass.exe -princ HTTP/<fully qualified domain name (FQDN) of the Central Node server>@<realm name of the Active Directory domain in uppercase> -mapuser control-user@<realm name of the Active Directory domain in uppercase> -crypto AES256-SHA1 -ptype KRB5_NT_PRINCIPAL -pass * -in <path and name of the previously created file>.keytab -out <path and new name>.keytab -setupn -setpass -rawsalt "<hash value of the salt obtained when creating the keytab file at step 3>"

    The utility requests the control-user password when executing the command.

The keytab file is created. This file contains all added SPNs of selected servers.

Example:

For example, you need to create a keytab file containing SPN names of 3 servers: control-01.test.local, secondary-01.test.local, and secondary-02.test.local.

To create a filename1.keytab file containing the SPN of the server in C:\keytabs\, run the command:

C:\Windows\system32\ktpass.exe -princ HTTP/control-01.test.local@TEST.LOCAL -mapuser control-user@TEST.LOCAL -crypto AES256-SHA1 -ptype KRB5_NT_PRINCIPAL -pass * +dumpsalt -out C:\keytabs\filename1.keytab

Let's say you got "TEST.LOCALHTTPcontrol-01.test.local" as the salt.

To add another SPN, run the following command:

C:\Windows\system32\ktpass.exe -princ HTTP/secondary-01.test.local@TEST.LOCAL -mapuser control-user@TEST.LOCAL -crypto AES256-SHA1 -ptype KRB5_NT_PRINCIPAL -pass * -in C:\keytabs\filename1.keytab -out C:\keytabs\filename2.keytab -setupn -setpass -rawsalt "TEST.LOCALHTTPcontrol-01.test.local"

To add a third SPN:

C:\Windows\system32\ktpass.exe -princ HTTP/secondary-02.test.local@TEST.LOCAL -mapuser control-user@TEST.LOCAL -crypto AES256-SHA1 -ptype KRB5_NT_PRINCIPAL -pass * -in C:\keytabs\filename2.keytab -out C:\keytabs\filename3.keytab -setupn -setpass -rawsalt "TEST.LOCALHTTPcontrol-01.test.local"

This creates a filename3.keytab file containing all three added SPNs.

To create a keytab file using a separate account for each Central Node server:

  1. On the domain controller server, in the Active Directory Users and Computers snap-in, create a separate user account for each server (for example, control-user, secondary1-user, secondary2-user, etc).
  2. If you want to use the AES256-SHA1 encryption algorithm, in the Active Directory Users and Computers snap-in:
    1. Open the properties of the user account that you have created.
    2. On the Account tab, select the This account supports Kerberos AES 256 bit encryption check box.
  3. Use the ktpass utility to create a keytab file for the control-user user. To do so, run the following command on the command line:

    C:\Windows\system32\ktpass.exe -princ HTTP/<fully qualified domain name (FQDN) of the Central Node server>@<realm name of the Active Directory domain in uppercase> -mapuser control-user@<realm name of the Active Directory domain in uppercase> -crypto AES256-SHA1 -ptype KRB5_NT_PRINCIPAL -pass * -out <path to the file>\<file name>.keytab

    The utility requests the control-user password when executing the command.

    The SPN of the selected server is added to the created keytab file.

  4. Add an SPN record for each subsequent Central Node server to the keytab file. To do so, run the following command:

    C:\Windows\system32\ktpass.exe -princ HTTP/<fully qualified domain name (FQDN) of the Central Node server>@<realm name of the Active Directory domain in uppercase> -mapuser secondary1-user@<realm name of the Active Directory domain in uppercase> -crypto AES256-SHA1 -ptype KRB5_NT_PRINCIPAL -pass * -in <path and name of the previously created file>.keytab -out <path and new name>.keytab

    The utility requests the secondary1-user password when executing the command.

The keytab file is created. This file contains all added SPNs of selected servers.

Example:

For example, you need to create a keytab file containing SPN names of 3 servers: control-01.test.local, secondary-01.test.local, and secondary-02.test.local.

To create a filename1.keytab file containing the SPN of the server in C:\keytabs\, run the command:

C:\Windows\system32\ktpass.exe -princ HTTP/control-01.test.local@TEST.LOCAL -mapuser control-user@TEST.LOCAL -crypto AES256-SHA1 -ptype KRB5_NT_PRINCIPAL -pass * -out C:\keytabs\filename1.keytab

To add another SPN, run the following command:

C:\Windows\system32\ktpass.exe -princ HTTP/secondary-01.test.local@TEST.LOCAL -mapuser secondary1-user@TEST.LOCAL -crypto AES256-SHA1 -ptype KRB5_NT_PRINCIPAL -pass * -in C:\keytabs\filename1.keytab -out C:\keytabs\filename2.keytab

To add a third SPN:

C:\Windows\system32\ktpass.exe -princ HTTP/secondary-02.test.local@TEST.LOCAL -mapuser secondary2-user@TEST.LOCAL -crypto AES256-SHA1 -ptype KRB5_NT_PRINCIPAL -pass * -in C:\keytabs\filename2.keytab -out C:\keytabs\filename3.keytab

This creates a filename3.keytab file containing all three added SPNs.

Page top