Creating a keytab file for the Squid service

3 July 2024

ID 166438

You can use the same user account for authentication on all nodes of a cluster. To do so, you must create a keytab file containing the service principal name (SPN) for each of these nodes. When creating a keytab file, you must use the attribute to generate a salt (hash function modifier).

The generated salt must be saved using a method of your choosing to subsequently add new SPNs to the keytab file.

You can also create a separate Active Directory user account for each cluster node for which you want to configure Kerberos authentication.

The keytab file is created on the domain controller server or on a Windows Server computer that is part of the domain, under a domain administrator account.

To create a keytab file for the Squid service using a single user account:

  1. In the Active Directory Users and Computers snap-in, create a user account named squid-user.
  2. To use the AES256-SHA1 encryption algorithm, do the following in the Active Directory Users and Computers snap-in:
    1. Open the properties of the created account.
    2. On the Account tab, select the This account supports Kerberos AES 256 bit encryption check box.
  3. Create a keytab file for squid-user using the ktpass utility. To do so, run the following command in the command line:

    C:\Windows\system32\ktpass.exe -princ HTTP/<name of the server with the Squid service>@<realm Active Directory domain name in uppercase> -mapuser squid-user@<realm uppercase Active Directory domain name> -crypto AES256-SHA1 -ptype KRB5_NT_PRINCIPAL -pass * +dumpsalt -out <path to file>\<file name>.keytab

    The name of the server hosting the Squid service should be specified in the lower case (for example, proxy.company.com).

    The utility prompts you for the password of the squid-user when you run the command.

    The SPN entry of the Control node is added to the created keytab file. The generated salt is displayed: Hashing password with salt "<hash value>".

  4. For each node of the cluster, add an SPN entry to the keytab file. To do so, run the following command:

    C:\Windows\system32\ktpass.exe -princ HTTP/<fully qualified domain name (FQDN) of the node>@<realm uppercase Active Directory domain name> -mapuser squid-user@<realm uppercase Active Directory domain name> -crypto AES256-SHA1 -ptype KRB5_NT_PRINCIPAL -pass * -in <path and name of the previously created file>.keytab -out <path and new name>.keytab -setupn -setpass -rawsalt "<hash value of the salt obtained when creating the keytab file at step 3>"

    The utility prompts you for the password of the squid-user when you run the command.

The keytab file for the Squid service will be created. This file will contain all added SPNs of cluster nodes.

Example:

For example, you need to create a keytab file that contains SPNs of 3 nodes: control-01.test.local, secondary-01.test.local, and secondary-02.test.local.

To create a file named filename1.keytab containing the SPN of the Control node in the C:\keytabs\ folder, you must run the following command:

C:\Windows\system32\ktpass.exe -princ HTTP/control-01.test.local@TEST.LOCAL -mapuser squid-user@TEST.LOCAL -crypto AES256-SHA1 -ptype KRB5_NT_PRINCIPAL -pass * +dumpsalt -out C:\keytabs\filename1.keytab

Suppose you got the salt "TEST.LOCALHTTPcontrol-01.test.local".

To add one more SPN, you must run the following command:

C:\Windows\system32\ktpass.exe -princ HTTP/secondary-01.test.local@TEST.LOCAL -mapuser squid-user@TEST.LOCAL -crypto AES256-SHA1 -ptype KRB5_NT_PRINCIPAL -pass * -in C:\keytabs\filename1.keytab -out C:\keytabs\filename2.keytab -setupn -setpass -rawsalt "TEST.LOCALHTTPcontrol-01.test.local"

To add a third SPN, you must run the following command:

C:\Windows\system32\ktpass.exe -princ HTTP/secondary-02.test.local@TEST.LOCAL -mapuser squid-user@TEST.LOCAL -crypto AES256-SHA1 -ptype KRB5_NT_PRINCIPAL -pass * -in C:\keytabs\filename2.keytab -out C:\keytabs\filename3.keytab -setupn -setpass -rawsalt "TEST.LOCALHTTPcontrol-01.test.local"

This will result in the creation of a file named filename3.keytab containing all three added SPNs.

To create a keytab file for the Squid server using a separate user account for each node:

  1. In the Active Directory Users and Computers snap-in, create a separate user account for each cluster node (for example, user accounts with names squid-user, squid-user2, squid-user3, and so on).
  2. To use the AES256-SHA1 encryption algorithm, do the following in the Active Directory Users and Computers snap-in:
    1. Open the properties of the created account.
    2. On the Account tab, select the This account supports Kerberos AES 256 bit encryption check box.
  3. Create a keytab file for squid-user using the ktpass utility. To do so, run the following command in the command line:

    C:\Windows\system32\ktpass.exe -princ HTTP/<lowercase name of the server with the Squid service>@<realm uppercase Active Directory domain name> -mapuser squid-user@<realm uppercase Active Directory domain name> -crypto AES256-SHA1 -ptype KRB5_NT_PRINCIPAL -pass * -out <path to file>\<file name>.keytab

    The name of the server hosting the Squid service should be specified in the lower case (for example, proxy.company.com).

    The utility prompts you for the password of the squid-user when you run the command.

    The SPN entry of the Control node is added to the created keytab file.

  4. For each node of the cluster, add an SPN entry to the keytab file. To do so, run the following command:

    C:\Windows\system32\ktpass.exe -princ HTTP/<fully qualified domain name (FQDN) of the node>@<realm uppercase Active Directory domain name> -mapuser squid-user2@<realm uppercase Active Directory domain name> -crypto AES256-SHA1 -ptype KRB5_NT_PRINCIPAL -pass * -in <path and name of the previously created file>.keytab -out <path and new name>.keytab

    The utility prompts you for the squid-user2 password when you run the command.

The keytab file for the Squid service will be created. This file will contain all added SPNs of cluster nodes.

Example:

For example, you need to create a keytab file that contains SPNs of 3 nodes: control-01.test.local, secondary-01.test.local, and secondary-02.test.local.

To create a file named filename1.keytab containing the SPN of the Control node in the C:\keytabs\ folder, you must run the following command:

C:\Windows\system32\ktpass.exe -princ HTTP/control-01.test.local@TEST.LOCAL -mapuser squid-user@TEST.LOCAL -crypto AES256-SHA1 -ptype KRB5_NT_PRINCIPAL -pass * -out C:\keytabs\filename1.keytab

To add one more SPN, you must run the following command:

C:\Windows\system32\ktpass.exe -princ HTTP/secondary-01.test.local@TEST.LOCAL -mapuser squid-user2@TEST.LOCAL -crypto AES256-SHA1 -ptype KRB5_NT_PRINCIPAL -pass * -in C:\keytabs\filename1.keytab -out C:\keytabs\filename2.keytab

To add a third SPN, you must run the following command:

C:\Windows\system32\ktpass.exe -princ HTTP/secondary-02.test.local@TEST.LOCAL -mapuser squid-user3@TEST.LOCAL -crypto AES256-SHA1 -ptype KRB5_NT_PRINCIPAL -pass * -in C:\keytabs\filename2.keytab -out C:\keytabs\filename3.keytab

This will result in the creation of a file named filename3.keytab containing all three added SPNs.

Did you find this article helpful?
What can we do better?
Thank you for your feedback! You're helping us improve.
Thank you for your feedback! You're helping us improve.