Creating a keytab file
December 19, 2024
ID 233047
The keytab file is created on the domain controller server or on a Windows Server computer that is part of the domain, under a domain administrator account.
To create a keytab file:
- In the Active Directory Users and Computers snap-in, create a separate user account that will be used to connect the application to an LDAP server (for example, an account named
kwts-ldap).When creating a password, you must select the Password never expires option.
- To employ the AES256-SHA1 encryption algorithm, use the Active Directory Users and Computers snap-in to open the properties of the created user account on the Account tab, then select the This account supports Kerberos AES 256 bit encryption check box.
- Use the ktpass utility to create a keytab file for the
kwts-ldapuser. To do so, run the following command in the command line:C:\Windows\system32\ktpass.exe -princ kwts-ldap@<realm Active Directory domain name in uppercase> -crypto AES256-SHA1 -ptype KRB5_NT_PRINCIPAL -pass <kwts-ldap user password> -out <path to file>\<file name>.keytabYou can use the * character as the value of the -pass parameter to avoid indicating the password in the text of the command. In this case, the utility prompts you for the password when you run the command.
Example:
C:\Windows\system32\ktpass.exe -princ kwts-ldap@COMPANY.COM -crypto AES256-SHA1 -ptype KRB5_NT_PRINCIPAL -pass * -out C:\Keytabs\kwts-ldap.keytab
The keytab file will be created. If you change the user account password, you will have to generate a new keytab file.
