Creating a keytab file

You can use the same account for authentication on the Master server and Secondary master servers. To do so, you must create a keytab file containing the service principal name (SPN) for each of these servers.

To create a keytab file:

  1. On the domain controller server, create a user account named control-<your name> in the Active Directory Users and Computers snap-in.
  2. If you want to use the AES256-SHA1 encryption algorithm, do the following in the Active Directory Users and Computers snap-in:
    1. Open the properties of the created account.
    2. On the Account tab, select the This account supports Kerberos AES 256 bit encryption check box.
  3. Create a keytab file for the user named control-<your name>. To do so, run the following command in the command line:

    C:\Windows\system32\ktpass.exe -princ HTTP/<Master server name>@<realm uppercase Active Directory domain name> -mapuser control-<your name>@<realm uppercase Active Directory domain name> -crypto <encryption type, RC4-HMAC-NT is recommended> -ptype KRB5_NT_PRINCIPAL -pass <user password of control-<your name>> -out C:\control-tmp1-<your name>.keytab

    The Master server SPN will be added to the created keytab file.

  4. If a Secondary master server is available, add a second SPN entry to the keytab file. To do so, run the following command:

    C:\Windows\system32\ktpass.exe -princ HTTP/<Secondary master server name>@<realm uppercase Active Directory domain name> -mapuser control-<your name>@<realm uppercase Active Directory domain name> -crypto <encryption type, RC4-HMAC-NT is recommended> -ptype KRB5_NT_PRINCIPAL -pass <user password of control-<your name>> -in C:\control-tmp1-<your name>.keytab -out C:\control-tmp2-<your name>.keytab -setupn -setpass

    If necessary, repeat this step for each Secondary master server for which you want to add an entry to the keytab file.

The keytab file will be created.

Page top