Creating a keytab file

Support

Support for business applications

Kaspersky Secure Mail Gateway

Authentication using the single sign-on technology

Creating a keytab file

July 3, 2024

ID 206091

You can use the same account to authenticate on all cluster nodes. To do so, create a keytab file containing the service principal names (SPN) for each of these nodes. When creating a keytab file, you will have to use an attribute for generating the salt, which modifies the hash function input.

You must use any convenient method to save the generated "salt" so that it can be used later when adding new SPNs to the keytab file.

You can also create a separate Active Directory user account for each cluster node that requires configuration of Kerberos authentication.

Before you create a keytab file

Before creating a keytab file, for each SPN, make sure that it is not registered in Active Directory. You can do this by running the following command: setspn -Q <SPN>, where <SPN> has the following structure: HTTP/<fully qualified domain name (FQDN) of the cluster node>@<realm name of the Active Directory domain in upper case>.

The command should return "No such SPN found", which means that the SPN in question is not registered. If the SPN has already been registered, before creating the keytab file, you need to unassign the SPN from the account or delete the account itself in the Active Directory to which this SPN was assigned.

Example of checking an SPN for one Control node and two Secondary nodes:

setspn -Q HTTP/control-01.test.local@TEST.LOCAL

setspn -Q HTTP/secondary-01.test.local@TEST.LOCAL

setspn -Q HTTP/secondary-02.test.local@TEST.LOCAL

Creating a keytab file

The keytab file is created on the domain controller server or on a Windows Server computer that is part of the domain, under the domain administrator account.

To create a keytab file using one user account:

In the Active Directory Users and Computers snap-in, create a user account (for example, named control-user).
To use the AES256-SHA1 encryption algorithm, in the Active Directory Users and Computers snap-in:
1. Open the properties of the created account.
2. On the Account tab, select the This account supports Kerberos AES 256 bit encryption check box.
Use the ktpass tool to create a keytab file for control-user. To do so, run the following command on the command line:
C:\Windows\system32\ktpass.exe -princ HTTP/<fully qualified domain name (FQDN) of the Control node>@<realm Active Directory domain name in uppercase> -mapuser control-user@<realm Active Directory domain name in uppercase> -crypto AES256-SHA1 -ptype KRB5_NT_PRINCIPAL -pass * +dumpsalt -out <path to file>\<file name>.keytab

The tool will prompt you for the control-user password when running the command.

The SPN of the Control node is added to the created keytab file. The screen will display the generated salt: Hashing password with salt "<hash value>".
For each cluster node, add an SPN entry to the keytab file. To do so, run the following command:
C:\Windows\system32\ktpass.exe -princ HTTP/<fully qualified domain name (FQDN) of the node>@<realm Active Directory domain name in uppercase> -mapuser control-user@<realm Active Directory domain name in uppercase> -crypto AES256-SHA1 -ptype KRB5_NT_PRINCIPAL -pass * -in <path and name of the previously created file>.keytab -out <path and new name>.keytab -setupn -setpass -rawsalt "<salt hash value obtained when creating the keytab file at step 3>"

The tool will prompt you for the control-user password when running the command.

The keytab file will be created. This file creates all added SPNs of cluster nodes.

Example:

For example, you need to create a keytab file containing the SPNs of 3 nodes: control-01.test.local, secondary-01.test.local, and secondary-02.test.local.

To create a file named filename1.keytab containing the SPN of the Control node in the C:\keytabs\ folder, run the following command:

C:\Windows\system32\ktpass.exe -princ HTTP/control-01.test.local@TEST.LOCAL -mapuser control-user@TEST.LOCAL -crypto AES256-SHA1 -ptype KRB5_NT_PRINCIPAL -pass * +dumpsalt -out C:\keytabs\filename1.keytab

Let's assume you have received the salt "TEST.LOCALHTTPcontrol-01.test.local".

To add one more SPN, run the following command:

C:\Windows\system32\ktpass.exe -princ HTTP/secondary-01.test.local@TEST.LOCAL -mapuser control-user@TEST.LOCAL -crypto AES256-SHA1 -ptype KRB5_NT_PRINCIPAL -pass * -in C:\keytabs\filename1.keytab -out C:\keytabs\filename2.keytab -setupn -setpass -rawsalt "TEST.LOCALHTTPcontrol-01.test.local"

To add a third SPN, run the following command:

C:\Windows\system32\ktpass.exe -princ HTTP/secondary-02.test.local@TEST.LOCAL -mapuser control-user@TEST.LOCAL -crypto AES256-SHA1 -ptype KRB5_NT_PRINCIPAL -pass * -in C:\keytabs\filename2.keytab -out C:\keytabs\filename3.keytab -setupn -setpass -rawsalt "TEST.LOCALHTTPcontrol-01.test.local"

This will result in the creation of a file named filename3.keytab containing all three added SPNs.

To create a keytab file using a separate user account for each node:

In the Active Directory Users and Computers snap-in, create a separate user account for each cluster node (for example, you can create user accounts named control-user, secondary1-user, secondary2-user, and so on).
To use the AES256-SHA1 encryption algorithm, in the Active Directory Users and Computers snap-in:
1. Open the properties of the created account.
2. On the Account tab, select the This account supports Kerberos AES 256 bit encryption check box.
Use the ktpass tool to create a keytab file for control-user. To do so, run the following command on the command line:
C:\Windows\system32\ktpass.exe -princ HTTP/<fully qualified domain name (FQDN) of the Control node>@<realm Active Directory domain name in uppercase> -mapuser control-user@<realm Active Directory domain name in uppercase> -crypto AES256-SHA1 -ptype KRB5_NT_PRINCIPAL -pass * -out <path to file>\<file name>.keytab

The tool will prompt you for the control-user password when running the command.

The SPN of the Control node is added to the created keytab file.
For each cluster node, add an SPN entry to the keytab file. To do so, run the following command:
C:\Windows\system32\ktpass.exe -princ HTTP/<fully qualified domain name (FQDN) of the node>@<realm Active Directory domain name in uppercase> -mapuser secondary1-user@<realm Active Directory domain name in uppercase> -crypto AES256-SHA1 -ptype KRB5_NT_PRINCIPAL -pass * -in <path and name of the previously created file>.keytab -out <path and new name>.keytab

The tool will prompt you for the secondary1-user password when running the command.

The keytab file will be created. This file creates all added SPNs of cluster nodes.

Example:

For example, you need to create a keytab file containing the SPNs of 3 nodes: control-01.test.local, secondary-01.test.local, and secondary-02.test.local.

To create a file named filename1.keytab containing the SPN of the Control node in the C:\keytabs\ folder, run the following command:

C:\Windows\system32\ktpass.exe -princ HTTP/control-01.test.local@TEST.LOCAL -mapuser control-user@TEST.LOCAL -crypto AES256-SHA1 -ptype KRB5_NT_PRINCIPAL -pass * -out C:\keytabs\filename1.keytab

To add one more SPN, run the following command:

C:\Windows\system32\ktpass.exe -princ HTTP/secondary-01.test.local@TEST.LOCAL -mapuser secondary1-user@TEST.LOCAL -crypto AES256-SHA1 -ptype KRB5_NT_PRINCIPAL -pass * -in C:\keytabs\filename1.keytab -out C:\keytabs\filename2.keytab

To add a third SPN, run the following command:

C:\Windows\system32\ktpass.exe -princ HTTP/secondary-02.test.local@TEST.LOCAL -mapuser secondary2-user@TEST.LOCAL -crypto AES256-SHA1 -ptype KRB5_NT_PRINCIPAL -pass * -in C:\keytabs\filename2.keytab -out C:\keytabs\filename3.keytab

This will result in the creation of a file named filename3.keytab containing all three added SPNs.

After you create a keytab file

After creating a keytab file, for each SPN, make sure that it is registered and assigned to the relevant account. You can do this by running the following command: setspn -Q <SPN>, where <SPN> has the following structure: HTTP/<fully qualified domain name (FQDN) of the cluster node>@<realm name of the Active Directory domain in upper case>.

The command must return "Existing SPN found" and the account to which the SPN is assigned.

Additionally, after creating a keytab file, you can check the list of SPNs assigned to the relevant account. To do so, you can run the following command: setspn -L <account>, where <account> has the following structure: <user name>@<realm name of the Active Directory domain in upper case>.

If the keytab file was created with one account, the command should return a list of all SPNs for which the keytab file was created. If the keytab file was created with separate accounts for each node, the command should return one SPN that is assigned to the specific account.

Example command for one account:

setspn -L control-user@TEST.LOCAL

Example command for separate accounts for each node:

setspn -L control-user@TEST.LOCAL

setspn -L secondary1-user@TEST.LOCAL

setspn -L secondary2-user@TEST.LOCAL

Kaspersky Endpoint Security for Business Advanced: Adaptive security of your company

Web and device controls. Data encryption. Centralized and convenient management from a single console.

Kaspersky Premium Support (MSA): High‑priority incident processing

Telephone and web ticket support. Fast response, monitoring and health check. Submit a request and activate the contract (MSA).

Did you find this article helpful?

What can we do better?

Thank you for your feedback! You're helping us improve.