If you have already created a keytab file for Single Sign-On authentication, you can use this file to configure Kerberos authentication on the proxy server.
You can use the same user account for authentication on all nodes of a cluster. To do so, you must create a keytab file containing the service principal name (SPN) for each of these nodes. When creating a keytab file, you must use the attribute to generate a salt (hash function modifier).
The generated salt must be saved using a method of your choosing to subsequently add new SPNs to the keytab file.
You can also create a separate Active Directory user account for each cluster node for which you want to configure Kerberos authentication.
The keytab file is created on the domain controller server or on a Windows Server computer that is part of the domain, under a domain administrator account.
To create a keytab file using a single user account:
control-user
.control-user
using the ktpass utility. To do so, run the following command in the command line:C:\Windows\system32\ktpass.exe -princ HTTP/<fully qualified domain name (FQDN) of the Control node>@<realm uppercase Active Directory domain name> -mapuser control-user@<realm uppercase Active Directory domain name> -crypto AES256-SHA1 -ptype KRB5_NT_PRINCIPAL -pass * +dumpsalt -out <path to file>\<file name>.keytab
The utility will prompt you for the control-user
password when running the command.
The SPN of the node with role Control will be added to the created keytab file. The generated salt is displayed: Hashing password with salt "<hash value>".
C:\Windows\system32\ktpass.exe -princ HTTP/<fully qualified domain name (FQDN) of the node>@<realm uppercase Active Directory domain name> -mapuser control-user@<realm uppercase Active Directory domain name> -crypto AES256-SHA1 -ptype KRB5_NT_PRINCIPAL -pass * -in <path and name of the previously created file>.keytab -out <path and new name>.keytab -setupn -setpass -rawsalt "<hash value of the salt obtained when creating the keytab file at step 3>"
The utility will prompt you for the control-user
password when running the command.
The keytab file will be created. This file will contain all added SPNs of cluster nodes.
Example: For example, you need to create a keytab file that contains SPNs of 3 nodes: To create a file named
Suppose you got the salt To add one more SPN, you must run the following command:
To add a third SPN, you must run the following command:
This will result in the creation of a file named |
To create a keytab file using a separate user account for each node:
control-user
, secondary1-user
, secondary2-user
and so on).control-user
using the ktpass utility. To do so, run the following command in the command line:C:\Windows\system32\ktpass.exe -princ HTTP/<fully qualified domain name (FQDN) of the Control node>@<realm uppercase Active Directory domain name> -mapuser control-user@<realm uppercase Active Directory domain name> -crypto AES256-SHA1 -ptype KRB5_NT_PRINCIPAL -pass * -out <path to file>\<file name>.keytab
The utility will prompt you for the control-user
password when running the command.
The SPN of the node with role Control will be added to the created keytab file.
C:\Windows\system32\ktpass.exe -princ HTTP/<fully qualified domain name (FQDN) of the node>@<realm uppercase Active Directory domain name> -mapuser secondary1-user@<realm uppercase Active Directory domain name> -crypto AES256-SHA1 -ptype KRB5_NT_PRINCIPAL -pass * -in <path and name of the previously created file>.keytab -out <path and new name>.keytab
The utility will prompt you for the secondary1-user
password when running the command.
The keytab file will be created. This file will contain all added SPNs of cluster nodes.
Example: For example, you need to create a keytab file that contains SPNs of 3 nodes: To create a file named
To add one more SPN, you must run the following command:
To add a third SPN, you must run the following command:
This will result in the creation of a file named |