You can use the same account to authenticate on all cluster nodes. To do so, create a keytab file containing the service principal names (SPN) for each of these nodes. When creating a keytab file, you will have to use an attribute for generating the salt, which modifies the hash function input.
You must use any convenient method to save the generated "salt" so that it can be used later when adding new SPNs to the keytab file.
You can also create a separate Active Directory user account for each cluster node that requires configuration of Kerberos authentication.
The keytab file is created on the domain controller server or on a Windows Server computer that is part of the domain, under the domain administrator account.
To create a keytab file using one user account:
Active Directory Users and Computers snap-in, create a user account (for example, named control-user).control-user. To do so, run the following command on the command line:C:\Windows\system32\ktpass.exe -princ HTTP/<fully qualified domain name (FQDN) of the Control node>@<realm Active Directory domain name in uppercase> -mapuser control-user@<realm Active Directory domain name in uppercase> -crypto AES256-SHA1 -ptype KRB5_NT_PRINCIPAL -pass * +dumpsalt -out <path to file>\<file name>.keytab
The tool will prompt you for the control-user password when running the command.
The SPN of the Control node is added to the created keytab file. The screen will display the generated salt: Hashing password with salt "<hash value>".
C:\Windows\system32\ktpass.exe -princ HTTP/<fully qualified domain name (FQDN) of the node>@<realm Active Directory domain name in uppercase> -mapuser control-user@<realm Active Directory domain name in uppercase> -crypto AES256-SHA1 -ptype KRB5_NT_PRINCIPAL -pass * -in <path and name of the previously created file>.keytab -out <path and new name>.keytab -setupn -setpass -rawsalt "<salt hash value obtained when creating the keytab file at step 3>"
The tool will prompt you for the control-user password when running the command.
The keytab file will be created. This file creates all added SPNs of cluster nodes.
Example: For example, you need to create a keytab file containing the SPNs of 3 nodes: To create a file named
Let's assume you have received the salt To add one more SPN, run the following command:
To add a third SPN, run the following command:
This will result in the creation of a file named |
To create a keytab file using a separate user account for each node:
control-user, secondary1-user, secondary2-user, and so on).control-user. To do so, run the following command on the command line:C:\Windows\system32\ktpass.exe -princ HTTP/<fully qualified domain name (FQDN) of the Control node>@<realm Active Directory domain name in uppercase> -mapuser control-user@<realm Active Directory domain name in uppercase> -crypto AES256-SHA1 -ptype KRB5_NT_PRINCIPAL -pass * -out <path to file>\<file name>.keytab
The tool will prompt you for the control-user password when running the command.
The SPN of the Control node is added to the created keytab file.
C:\Windows\system32\ktpass.exe -princ HTTP/<fully qualified domain name (FQDN) of the node>@<realm Active Directory domain name in uppercase> -mapuser secondary1-user@<realm Active Directory domain name in uppercase> -crypto AES256-SHA1 -ptype KRB5_NT_PRINCIPAL -pass * -in <path and name of the previously created file>.keytab -out <path and new name>.keytab
The tool will prompt you for the secondary1-user password when running the command.
The keytab file will be created. This file creates all added SPNs of cluster nodes.
Example: For example, you need to create a keytab file containing the SPNs of 3 nodes: To create a file named
To add one more SPN, run the following command:
To add a third SPN, run the following command:
This will result in the creation of a file named |