Creating a keytab file

You can use the same user account for authentication on all nodes of a cluster. To do so, you must create a keytab file containing the service principal name (SPN) for each of these nodes.

To create a keytab file:

  1. On the domain controller server, create a user account named control-<your name> in the Active Directory Users and Computers snap-in.
  2. If you want to use the AES256-SHA1 encryption algorithm, do the following in the Active Directory Users and Computers snap-in:
    1. Open the properties of the created account.
    2. On the Account tab, select the This account supports Kerberos AES 256 bit encryption check box.
  3. Create a keytab file for the user named control-<your name>. To do so, run the following command in the command line:

    C:\Windows\system32\ktpass.exe -princ HTTP/<fully qualified domain name (FQDN) of the node with role Control>@<realm Active Directory domain name in uppercase> -mapuser control-<your name>@<realm Active Directory domain name in uppercase> -crypto <encryption type, RC4-HMAC-NT is recommended> -ptype KRB5_NT_PRINCIPAL -pass <user password control-<your name>> -out C:\control-<your name>.keytab

    Example name of a node: node01.test.local@TEST.LOCAL

    The SPN of the node with role Control will be added to the created keytab file.

  4. For each node of the cluster, add an SPN entry to the keytab file. To do so, run the following command:

    C:\Windows\system32\ktpass.exe -princ HTTP/<fully qualified domain name (FQDN) of the node>@<realm Active Directory domain name in uppercase> -mapuser control-<your name>@<realm Active Directory domain name in uppercase> -crypto <encryption type, RC4-HMAC-NT is recommended> -ptype KRB5_NT_PRINCIPAL -pass <user password control-<your name>> -in C:\control-<name of the previously created file>.keytab -out C:\control-<new name>.keytab -setupn -setpass

A keytab file named C:\control-<new name>.keytab will be created. This file will contain all added SPNs of cluster nodes.

Example:

For example, you created a file named control-tmp1.keytab when completing step 3. In this case, to add one more SPN, you must run the following command:

C:\Windows\system32\ktpass.exe -princ HTTP/<fully qualified domain name (FQDN) of the node>@<realm Active Directory domain name in uppercase> -mapuser control-<your name>@<realm Active Directory domain name in uppercase> -crypto <encryption type, RC4-HMAC-NT is recommended> -ptype KRB5_NT_PRINCIPAL -pass <user password control-<your name>> -in C:\control-tmp1.keytab -out C:\control-tmp2.keytab -setupn -setpass

To add a third SPN, you must run the following command:

C:\Windows\system32\ktpass.exe -princ HTTP/<fully qualified domain name (FQDN) of the node>@<realm Active Directory domain name in uppercase> -mapuser control-<your name>@<realm Active Directory domain name in uppercase> -crypto <encryption type, RC4-HMAC-NT is recommended> -ptype KRB5_NT_PRINCIPAL -pass <user password control-<your name>> -in C:\control-tmp2.keytab -out C:\control-tmp3.keytab -setupn -setpass

This will result in the creation of a file named control-tmp3.keytab containing all three added SPNs.

Page top