Creating a keytab file
13 December 2023
ID 183739
If you have already created a keytab file for Single Sign-On authentication, you can use this file to configure Kerberos authentication on the proxy server.
You can use the same user account for authentication on all nodes of a cluster. To do so, you must create a keytab file containing the service principal name (SPN) for each of these nodes. When creating a keytab file, you must use the attribute to generate a salt (hash function modifier).
The generated salt must be saved using a method of your choosing to subsequently add new SPNs to the keytab file.
You can also create a separate Active Directory user account for each cluster node for which you want to configure Kerberos authentication.
The keytab file is created on the domain controller server or on a Windows Server computer that is part of the domain, under a domain administrator account.
To create a keytab file using a single user account:
- In the Active Directory Users and Computers snap-in, create a user account named, for example,
control-user
. - To use the AES256-SHA1 encryption algorithm, do the following in the Active Directory Users and Computers snap-in:
- Open the properties of the created account.
- On the Account tab, select the This account supports Kerberos AES 256 bit encryption check box.
- Create a keytab file for
control-user
using the ktpass utility. To do so, run the following command in the command line:C:\Windows\system32\ktpass.exe -princ HTTP/<fully qualified domain name (FQDN) of the Control node>@<realm uppercase Active Directory domain name> -mapuser control-user@<realm uppercase Active Directory domain name> -crypto AES256-SHA1 -ptype KRB5_NT_PRINCIPAL -pass * +dumpsalt -out <path to file>\<file name>.keytab
The utility will prompt you for the
control-user
password when running the command.The SPN of the node with role Control will be added to the created keytab file. The generated salt is displayed:
Hashing password with salt "<hash value>".
- For each node of the cluster, add an SPN entry to the keytab file. To do so, run the following command:
C:\Windows\system32\ktpass.exe -princ HTTP/<fully qualified domain name (FQDN) of the node>@<realm uppercase Active Directory domain name> -mapuser control-user@<realm uppercase Active Directory domain name> -crypto AES256-SHA1 -ptype KRB5_NT_PRINCIPAL -pass * -in <path and name of the previously created file>.keytab -out <path and new name>.keytab -setupn -setpass -rawsalt "<hash value of the salt obtained when creating the keytab file at step 3>"
The utility will prompt you for the
control-user
password when running the command.
The keytab file will be created. This file will contain all added SPNs of cluster nodes.
Example: For example, you need to create a keytab file that contains SPNs of 3 nodes: To create a file named
Suppose you got the salt To add one more SPN, you must run the following command:
To add a third SPN, you must run the following command:
This will result in the creation of a file named |
To create a keytab file using a separate user account for each node:
- In the Active Directory Users and Computers snap-in, create a separate user account for each cluster node (for example, user accounts with names
control-user
,secondary1-user
,secondary2-user
and so on). - If you want to use the AES256-SHA1 encryption algorithm, do the following in the Active Directory Users and Computers snap-in:
- Open the properties of the created account.
- On the Account tab, select the This account supports Kerberos AES 256 bit encryption check box.
- Create a keytab file for
control-user
using the ktpass utility. To do so, run the following command in the command line:C:\Windows\system32\ktpass.exe -princ HTTP/<fully qualified domain name (FQDN) of the Control node>@<realm uppercase Active Directory domain name> -mapuser control-user@<realm uppercase Active Directory domain name> -crypto AES256-SHA1 -ptype KRB5_NT_PRINCIPAL -pass * -out <path to file>\<file name>.keytab
The utility will prompt you for the
control-user
password when running the command.The SPN of the node with role Control will be added to the created keytab file.
- For each node of the cluster, add an SPN entry to the keytab file. To do so, run the following command:
C:\Windows\system32\ktpass.exe -princ HTTP/<fully qualified domain name (FQDN) of the node>@<realm uppercase Active Directory domain name> -mapuser secondary1-user@<realm uppercase Active Directory domain name> -crypto AES256-SHA1 -ptype KRB5_NT_PRINCIPAL -pass * -in <path and name of the previously created file>.keytab -out <path and new name>.keytab
The utility will prompt you for the
secondary1-user
password when running the command.
The keytab file will be created. This file will contain all added SPNs of cluster nodes.
Example: For example, you need to create a keytab file that contains SPNs of 3 nodes: To create a file named
To add one more SPN, you must run the following command:
To add a third SPN, you must run the following command:
This will result in the creation of a file named |