Create the Kerberos keytab file

Create the Kerberos keytab file

+
Search Tips | Advanced Search

Overview

You use the ktpass tool to create the Kerberos keytab file (krb5.keytab) for use with the Simple and Protected GSS-API Negotiation Mechanism (SPNEGO) trust association interceptor (TAI) for WAS.
Use the ktpass tool from the Windows Server toolkit to create the Kerberos keytab file for the service principal name (SPN). Use the ktpass tool that matches the Windows server level you are using. That is, use the Windows 2000 version for a Windows 2000 Server, or a Windows 2003 version for a Windows 2003 server. The Windows 2003 server version of the ktpass tool supports the encryption type, RC4-HMAC, and Single data encryption standard (DES). The Windows 2000 server version of the ktpass tool are similar, but different options are necessary for the RC4-HMAC encryption type and single DES.
Below is a summary of the functions available when you enter ktpass -? on the command line.
C:\MS SDK>ktpass -?
Command line options:

---------------------most useful args
[- /]          out : Keytab to produce
[- /]        princ : Principal name (user@REALM)
[- /]         pass : password to use
                     use "*" to prompt for password.
---------------------less useful stuff
[- /]      mapuser : map princ (above) to this user account (default: don't)
[- /]        mapOp : how to set the mapping attribute (default: add it)
[- /]        mapOp :  is one of:
[- /]        mapOp :        add : add value (default)
[- /]        mapOp :        set : set value
[- +]      DesOnly : Set account for des-only encryption (default:no)
[- /]           in : Keytab to read/digest
---------------------options for key generation
[- /]       crypto : Cryptosystem to use
[- /]       crypto :  is one of:
[- /]       crypto : DES-CBC-CRC : for compatibility
[- /]       crypto : DES-CBC-MD5 : default
[- /]       crypto :        RC4 :
[- /]        ptype : principal type in question
[- /]        ptype :  is one of:
[- /]        ptype : KRB5_NT_PRINCIPAL : The general ptype-- recommended
[- /]        ptype : KRB5_NT_SRV_INST : user service instance
[- /]        ptype : KRB5_NT_SRV_HST : host service instance
[- /]         kvno : Override Key VNumber
                     Default: query DC for kvno.  Use /kvno 1 for Win2K compat.
[- +]       Answer : +Answer answers YES to prompts.  -Answer answers NO.
[- /]       Target : Which DC to use.  Default:detect
Depending on the encryption type, you use the ktpass tool in one of the following ways to create the Kerberos keytab file:

Procedure

For a single DES encryption type...
ktpass -out c:\temp\server3.keytab -princ HTTP/server3.foobar.com@FOOBAR.COM -mapUser server3 -mapOp set -pass was1edu -crypto DES-CBC-MD5 +DesOnly

...where...

Option Explanation
-out c:\temp\server3.keytab The key is written to...
-princ HTTP/server3.foobar.com@FOOBAR.COM The concatenation of the user logon name, and the realm must be in uppercase.
-mapUser The key is mapped to the user, server3.
-mapOp This option sets the mapping.
-pass was1edu This option is the password for the user ID.
-crypto DES-CBC-MD5 This option uses the single DES encryption type.
+DesOnly This option generates only DES encryptions.

For the RC4-HMAC encryption type
RC4-HMAC encryption is only supported when using a Windows 2003 Server as KDC. RC4-HMAC encryption is not supported with a Windows 2000 Server as KDC.
From a command prompt, run the ktpass command.
ktpass -out c:\temp\poc.keytab -princ HTTP/interop.foobar.com@FOOBAR.COM -mapUser server3 -mapOp set –pass was1edu -crypto RC4

Option Explanation
-out f:\abc\server3.keytab The key is written to this output file.
-princ HTTP/server3.foobar.com@FOOBAR.COM The concatenation of the user logon name, and the realm must be in uppercase.
-mapUser The key is mapped to the user, server3.
-mapOp This option sets the mapping.
-pass was1edu This option is the password for the user ID.
-crypto RC4 This option chooses the RC4-HMAC encryption type.

Results
The Kerberos keytab file is created for use with the SPNEGO TAI.
A Kerberos keytab configuration file contains a list of keys that are analogous to user passwords. It is important for hosts to protect their Kerberos keytab files by storing them on the local disk, which makes them readable only be authorized users.

Related tasks

Configure WAS environment to use SPNEGO

Related Reference

Kerberos configuration requirements for SPNEGO TAI
Configure the Kerberos configuration properties

Option	Explanation
-out c:\temp\server3.keytab	The key is written to...
-princ HTTP/server3.foobar.com@FOOBAR.COM	The concatenation of the user logon name, and the realm must be in uppercase.
-mapUser	The key is mapped to the user, server3.
-mapOp	This option sets the mapping.
-pass was1edu	This option is the password for the user ID.
-crypto DES-CBC-MD5	This option uses the single DES encryption type.
+DesOnly	This option generates only DES encryptions.

Option	Explanation
-out f:\abc\server3.keytab	The key is written to this output file.
-princ HTTP/server3.foobar.com@FOOBAR.COM	The concatenation of the user logon name, and the realm must be in uppercase.
-mapUser	The key is mapped to the user, server3.
-mapOp	This option sets the mapping.
-pass was1edu	This option is the password for the user ID.
-crypto RC4	This option chooses the RC4-HMAC encryption type.