Creating a keytab file
August 12, 2024
ID 228435
You can create one user account to authenticate at multiple Central Node servers. Service principal name (SPN)To do so, you must create a keytab file that contains service principal names (hereinafter also SPN) for each of these servers. When you create the keytab file, you must use an attribute to generate a salt (hash function input modifier).
The generated salt must be saved in any convenient way for adding more SPNs to the keytab file in the future.
You can also create a separate Active Directory user account for each Central Node server for which you want to set up Kerberos authentication.
To create a keytab file using one user account:
- On the domain controller, in the Active Directory Users and Computers snap-in, create a user account (for example, with
control-user
as its name). - If you want to use the AES256-SHA1 encryption algorithm, in the Active Directory Users and Computers snap-in:
- Open the properties of the user account that you have created.
- On the Account tab, select the This account supports Kerberos AES 256 bit encryption check box.
- Use the ktpass utility to create a keytab file for the
control-user
user. To do so, run the following command on the command line:C:\Windows\system32\ktpass.exe -princ HTTP/<fully qualified domain name (FQDN) of the Central Node server>@<realm name of the Active Directory domain in uppercase> -mapuser control-user@<realm name of the Active Directory domain in uppercase> -crypto AES256-SHA1 -ptype KRB5_NT_PRINCIPAL -pass * +dumpsalt -out <path to the file>\<file name>.keytab
The utility requests the
control-user
password when executing the command.The SPN of the selected server is added to the created keytab file. The generated salt is displayed on screen:
Hashing password with salt "<hash value>".
- Add an SPN record for each subsequent Central Node server to the keytab file. To do so, run the following command:
C:\Windows\system32\ktpass.exe -princ HTTP/<fully qualified domain name (FQDN) of the Central Node server>@<realm name of the Active Directory domain in uppercase> -mapuser control-user@<realm name of the Active Directory domain in uppercase> -crypto AES256-SHA1 -ptype KRB5_NT_PRINCIPAL -pass * -in <path and name of the previously created file>.keytab -out <path and new name>.keytab -setupn -setpass -rawsalt "<hash value of the salt obtained when creating the keytab file at step 3>"
The utility requests the
control-user
password when executing the command.
The keytab file is created. This file contains all added SPNs of selected servers.
Example: For example, you need to create a keytab file containing SPN names of 3 servers: To create a
Let's say you got To add another SPN, run the following command:
To add a third SPN:
This creates a |
To create a keytab file using a separate account for each Central Node server:
- On the domain controller server, in the Active Directory Users and Computers snap-in, create a separate user account for each server (for example,
control-user
,secondary1-user
,secondary2-user
, etc). - If you want to use the AES256-SHA1 encryption algorithm, in the Active Directory Users and Computers snap-in:
- Open the properties of the user account that you have created.
- On the Account tab, select the This account supports Kerberos AES 256 bit encryption check box.
- Use the ktpass utility to create a keytab file for the
control-user
user. To do so, run the following command on the command line:C:\Windows\system32\ktpass.exe -princ HTTP/<fully qualified domain name (FQDN) of the Central Node server>@<realm name of the Active Directory domain in uppercase> -mapuser control-user@<realm name of the Active Directory domain in uppercase> -crypto AES256-SHA1 -ptype KRB5_NT_PRINCIPAL -pass * -out <path to the file>\<file name>.keytab
The utility requests the
control-user
password when executing the command.The SPN of the selected server is added to the created keytab file.
- Add an SPN record for each subsequent Central Node server to the keytab file. To do so, run the following command:
C:\Windows\system32\ktpass.exe -princ HTTP/<fully qualified domain name (FQDN) of the Central Node server>@<realm name of the Active Directory domain in uppercase> -mapuser secondary1-user@<realm name of the Active Directory domain in uppercase> -crypto AES256-SHA1 -ptype KRB5_NT_PRINCIPAL -pass * -in <path and name of the previously created file>.keytab -out <path and new name>.keytab
The utility requests the
secondary1-user
password when executing the command.
The keytab file is created. This file contains all added SPNs of selected servers.
Example: For example, you need to create a keytab file containing SPN names of 3 servers: To create a
To add another SPN, run the following command:
To add a third SPN:
This creates a |