Creating a keytab file

3 July 2024

ID 233047

The keytab file is created on the domain controller server or on a Windows Server computer that is part of the domain, under a domain administrator account.

To create a keytab file:

  1. In the Active Directory Users and Computers snap-in, create a separate user account that will be used to connect the application to an LDAP server (for example, an account named kwts-ldap).

    When creating a password, you must select the Password never expires option.

  2. To employ the AES256-SHA1 encryption algorithm, use the Active Directory Users and Computers snap-in to open the properties of the created user account on the Account tab, then select the This account supports Kerberos AES 256 bit encryption check box.
  3. Use the ktpass utility to create a keytab file for the kwts-ldap user. To do so, run the following command in the command line:

    C:\Windows\system32\ktpass.exe -princ kwts-ldap@<realm Active Directory domain name in uppercase> -crypto AES256-SHA1 -ptype KRB5_NT_PRINCIPAL -pass <kwts-ldap user password> -out <path to file>\<file name>.keytab

    You can use the * character as the value of the -pass parameter to avoid indicating the password in the text of the command. In this case, the utility prompts you for the password when you run the command.

    Example:

    C:\Windows\system32\ktpass.exe -princ kwts-ldap@COMPANY.COM -crypto AES256-SHA1 -ptype KRB5_NT_PRINCIPAL -pass * -out C:\Keytabs\kwts-ldap.keytab

The keytab file will be created. If you change the user account password, you will have to generate a new keytab file.

Did you find this article helpful?
What can we do better?
Thank you for your feedback! You're helping us improve.
Thank you for your feedback! You're helping us improve.