You can use the same user account for authentication on all nodes of a cluster. To do so, you must create a keytab file containing the service principal name (SPN) for each of these nodes. When creating a keytab file, you must use the attribute to generate a salt (hash function modifier).
The generated salt must be saved using a method of your choosing to subsequently add new SPNs to the keytab file.
You can also create a separate Active Directory user account for each cluster node for which you want to configure Kerberos authentication.
Before you create a keytab file
Before creating a keytab file, for each SPN, make sure that it is not registered in Active Directory. You can do this by running the following command: setspn -Q <SPN>
, where <SPN>
has the following structure: HTTP/<fully qualified domain name (FQDN) of the cluster node>@<realm name of the Active Directory domain in upper case>
.
The command should return "No such SPN found"
, which means that the SPN in question is not registered. If the SPN has already been registered, before creating the keytab file, you need to unassign the SPN from the account or delete the account itself in the Active Directory to which this SPN was assigned.
Example of checking an SPN for one Control node and Secondary nodes: setspn -Q HTTP/control-01.test.local@TEST.LOCAL setspn -Q HTTP/secondary-01.test.local@TEST.LOCAL setspn -Q HTTP/secondary-02.test.local@TEST.LOCAL |
Creating a keytab file
The keytab file is created on the domain controller server or on a Windows Server computer that is part of the domain, under a domain administrator account.
To create a keytab file using a single user account:
control-user
.control-user
using the ktpass utility. To do so, run the following command in the command line:C:\Windows\system32\ktpass.exe -princ HTTP/<fully qualified domain name (FQDN) of the Control node>@<realm uppercase Active Directory domain name> -mapuser control-user@<realm uppercase Active Directory domain name> -crypto AES256-SHA1 -ptype KRB5_NT_PRINCIPAL -pass * +dumpsalt -out <path to file>\<file name>.keytab
The utility will prompt you for the control-user
password when running the command.
The SPN of the node with role Control will be added to the created keytab file. The generated salt is displayed: Hashing password with salt "<hash value>".
C:\Windows\system32\ktpass.exe -princ HTTP/<fully qualified domain name (FQDN) of the node>@<realm uppercase Active Directory domain name> -mapuser control-user@<realm uppercase Active Directory domain name> -crypto AES256-SHA1 -ptype KRB5_NT_PRINCIPAL -pass * -in <path and name of the previously created file>.keytab -out <path and new name>.keytab -setupn -setpass -rawsalt "<hash value of the salt obtained when creating the keytab file at step 3>"
The utility will prompt you for the control-user
password when running the command.
The keytab file will be created. This file will contain all added SPNs of cluster nodes.
Example: For example, you need to create a keytab file that contains SPNs of 3 nodes: To create a file named
Suppose you got the salt To add one more SPN, you must run the following command:
To add a third SPN, you must run the following command:
This will result in the creation of a file named |
To create a keytab file using a separate user account for each node:
control-user
, secondary1-user
, secondary2-user
and so on).control-user
using the ktpass utility. To do so, run the following command in the command line:C:\Windows\system32\ktpass.exe -princ HTTP/<fully qualified domain name (FQDN) of the Control node>@<realm uppercase Active Directory domain name> -mapuser control-user@<realm uppercase Active Directory domain name> -crypto AES256-SHA1 -ptype KRB5_NT_PRINCIPAL -pass * -out <path to file>\<file name>.keytab
The utility will prompt you for the control-user
password when running the command.
The SPN of the node with role Control will be added to the created keytab file.
C:\Windows\system32\ktpass.exe -princ HTTP/<fully qualified domain name (FQDN) of the node>@<realm uppercase Active Directory domain name> -mapuser secondary1-user@<realm uppercase Active Directory domain name> -crypto AES256-SHA1 -ptype KRB5_NT_PRINCIPAL -pass * -in <path and name of the previously created file>.keytab -out <path and new name>.keytab
The utility will prompt you for the secondary1-user
password when running the command.
The keytab file will be created. This file will contain all added SPNs of cluster nodes.
Example: For example, you need to create a keytab file that contains SPNs of 3 nodes: To create a file named
To add one more SPN, you must run the following command:
To add a third SPN, you must run the following command:
This will result in the creation of a file named |
After you create a keytab file
After creating a keytab file, for each SPN, make sure that it is registered and assigned to the relevant account. You can do this by running the following command: setspn -Q <SPN>
, where <SPN>
has the following structure: HTTP/<fully qualified domain name (FQDN) of the cluster node>@<realm name of the Active Directory domain in upper case>
.
The command must return "Existing SPN found"
and the account to which the SPN is assigned.
Additionally, after creating a keytab file, you can check the list of SPNs assigned to the relevant account. To do so, you can run the following command: setspn -L <account>
, where <account>
has the following structure: <user name>@<realm name of the Active Directory domain in upper case>
.
If the keytab file was created with one account, the command should return a list of all SPNs for which the keytab file was created. If the keytab file was created with separate accounts for each node, the command should return one SPN that is assigned to the specific account.
Example command for one account: setspn -L control-user@TEST.LOCAL Example command for separate accounts for each node: setspn -L control-user@TEST.LOCAL setspn -L secondary1-user@TEST.LOCAL setspn -L secondary2-user@TEST.LOCAL |