Creating a keytab file

The keytab file is created on the domain controller server or on a Windows Server computer that is part of the domain, under the domain administrator account.

To create a keytab file:

1. In the Active Directory Users and Computers snap-in, create a separate user account that will be used to connect the application to the LDAP server (for example, an account named ksmg-ldap).

   When creating the user, select the Password never expires option.

2. To use the AES256-SHA1 encryption algorithm, in the Active Directory Users and Computers snap-in, in the properties of the created user account on the Account tab, select the This account supports Kerberos AES 256 bit encryption check box.
3. Use the ktpass tool to create a keytab file for the ksmg-ldap user. To do so, run the following command on the command line:

   C:\Windows\system32\ktpass.exe -princ ksmg-ldap@<realm Active Directory domain name in uppercase> -crypto AES256-SHA1 -ptype KRB5_NT_PRINCIPAL -pass <ksmg-ldap user password> -out <path to file>\<file name>.keytab

   You can use the * character for the -pass parameter value if you do not want to provide the password in the command text. If this is the case, the tool will prompt you for the password when running the command.

   Example: C:\Windows\system32\ktpass.exe -princ ksmg-ldap@COMPANY.COM -crypto AES256-SHA1 -ptype KRB5_NT_PRINCIPAL -pass * -out C:\Keytabs\ksmg-ldap.keytab

The keytab file will be created. If you change the user account password, you will have to generate a new keytab file.

Page top