Create a Kerberos service principal and keytab file used by the WAS SPNEGO TAI (deprecated)

Create a Kerberos service principal and keytab file used by the WAS SPNEGO TAI (deprecated)

You perform this configuration task on the Microsoft Active Directory domain controller machine. This task is a necessary part of preparing to process single sign on browser requests to WebSphere Application Server and thee SPNEGO trust association interceptor (TAI).
You need to have a running domain controller and at least one client machine in that domain.

Deprecated feature:
In WAS v6.1, a trust association interceptor (TAI) that uses the SPNEGO to securely negotiate and authenticate HTTP requests for secured resources was introduced. In WebSphere Application Server 7.0, this function is now deprecated. SPNEGO web authentication has taken its place to provide dynamic reload of the SPNEGO filters and to enable fallback to the application login method. depfeat

This task is performed on the active directory domain controller machine. Complete the following steps to ensure that the Microsoft Windows Server running the active directory domain controller is configured properly to the associated key distribution center (KDC). For information on the supported Microsoft Windows Servers, see the System Requirements for WebSphere Application Server v8.5 on Windows.
Create a user account in the Microsoft Active Directory for the WAS.
Click Start->Programs->Administrative Tools->Active Directory Users and Computers
Use the name for the WAS. For example, if the Application Server you are running on the WAS machine is called myappserver.austin.ibm.com, create a new user in Active Directory called myappserver.
Important: Do not select "User must change password at next logon."
Important: Make sure that we do not have the computer name myappserver for the Computers and Domain Controllers. If we already have a computer name myappserver, then create a different user account name.

Goto Start -> Programs -> Administrative Tools -> Active Directory Users and Computers->Computers

Goto Start -> Programs -> Administrative Tools -> Active Directory Users and Computers->Domain Controllers
Use the setspn command to map the Kerberos service principal name, HTTP/host, to a Microsoft user account. An example of setspn usage is as follows:
C:\Support Tools>
setspn -A HTTP/myappserver.austin.ibm.com myappserver
There may already be some SPNs related to the Microsoft Windows hosts that have been added to the domain. We can display those that exist using the setspn -L command, but you still have to add an HTTP SPN for WebSphere Application Server. For example, setspn -L myappserver would list the SPNs.
Important: Make sure that we do not have the same SPNs mapping to more than one Microsoft user account. If we map the same SPN to more than one user account, the web browser client can send a NTLM instead of SPNEGO token to WebSphere Application Server.
More information about the setspn command can be found here, Windows 2003 Technical Reference (setspn command)
Create the Kerberos keytab file and make it available to WebSphere Application Server. Use the ktpass command to create the Kerberos keytab file (krb5.keytab).
Use the ktpass tool from the Windows Server toolkit to create the Kerberos keytab file for the service principal name (SPN). Use the latest version of the ktpass tool that matches the Windows server level that you are using. For example, use the Windows 2003 version of the tool for a Windows 2003 server.
To determine the appropriate parameter values for the ktpass tool, run the ktpass -? command from the command line. This command lists whether the ktpass tool, which corresponds to the particular operating system, uses the -crypto RC4-HMAC or -crypto RC4-HMAC-NT parameter value. To avoid warning messages from the toolkit, specify the -ptype KRB5_NT_PRINCIPAL parameter value.
The Windows 2003 server version of the ktpass tool supports the encryption type, RC4-HMAC, and Single data encryption standard (DES). For more information about the ktpass tool, see Windows 2003 Technical Reference - Ktpass overview.
The following code shows the functions that are available when you enter ktpass -? command on the command line. This information might be different depending on the version of the toolkit that you are using.

C:\Support Tools>ktpass -? Command line options: ---------------------most useful args [- /] out : Keytab to produce [- /] princ : Principal name (user@REALM) [- /] pass : password to use use "*" to prompt for password. [- +] rndPass : ... or use +rndPass to generate a random password [- /] minPass : minimum length for random password (def:15) [- /] maxPass : maximum length for random password (def:256) ---------------------less useful stuff [- /] mapuser : map princ (above) to this user account (default: don't) [- /] mapOp : how to set the mapping attribute (default: add it) [- /] mapOp : is one of: [- /] mapOp : add : add value (default) [- /] mapOp : set : set value [- +] DesOnly : Set account for des-only encryption (default:don't) [- /] in : Keytab to read/digest ---------------------options for key generation [- /] crypto : Cryptosystem to use [- /] crypto : is one of: [- /] crypto : DES-CBC-CRC : for compatibility [- /] crypto : DES-CBC-MD5 : for compatibliity [- /] crypto : RC4-HMAC-NT : default 128-bit encryption [- /] ptype : principal type in question [- /] ptype : is one of: [- /] ptype : KRB5_NT_PRINCIPAL : The general ptype-- recommended [- /] ptype : KRB5_NT_SRV_INST : user service instance [- /] ptype : KRB5_NT_SRV_HST : host service instance [- /] kvno : Override Key Version Number Default: query DC for kvno. Use /kvno 1 for Win2K compat. [- +] Answer : +Answer answers YES to prompts. -Answer answers NO. [- /] Target : Which DC to use. Default:detect ---------------------options for trust attributes (Windows Server 2003 Sp1 Only [- /] MitRealmName : MIT Realm which we want to enable RC4 trust on. [- /] TrustEncryp : Trust Encryption to use; DES is default [- /] TrustEncryp : is one of: [- /] TrustEncryp : RC4 : RC4 Realm Trusts (default) [- /] TrustEncryp : DES : go back to DES

Important: Do not use the -pass switch on the ktpass command to reset a password for a Microsoft Windows server account. See Windows 2003 Technical Reference - Ktpass overview for more information. We must use the -mapUser option with ktpass command to enable the KDC to create an encryption key. Otherwise, when the SPENGO token is received, it fails the validation process and the application server challenges the user for a user name and password.
Depending on the encryption type, you use the ktpass tool in one of the following ways to create the Kerberos keytab file. The following section shows the different types of encryption used by the ktpass tool. It is important that you run the ktpass -? command to determine which -crypto parameter value is expected by the particular toolkit in our Microsoft Windows environment.
For a single DES encryption type
From a command prompt, run the ktpass command:
ktpass -out c:\temp\myappserver.keytab
-princ HTTP/myappserver.austin.ibm.com@WSSEC.AUSTIN.IBM.COM
-mapUser myappserv  -mapOp set  -pass was1edu
-crypto DES-CBC-MD5  -pType KRB5_NT_PRINCIPAL
+DesOnly
for a single DES encryption type.
This table describes how to use ktpass for a single DES encryption type.
Option Explanation
-out c:\temp\myappserver.keytab The key is written to this output file.
-princ HTTP/myappserver.austin.ibm.com@WSSEC.AUSTIN.IBM.COM The concatenation of the user logon name, and the realm must be in uppercase.
-mapUser The key is mapped to the user, myappserver.
-mapOp This option sets the mapping.
-pass was1edu This option is the password for the user ID.
-crypto DES-CBC-MD5 This option uses the single DES encryption type.
-pType KRB5_NT_PRINCIPAL This option specifies the KRB5_NT_PRINCIPAL principal value. Specify this option to avoid toolkit warning messages.
+DesOnly This option generates only DES encryptions.
For the RC4-HMAC encryption type
Important: RC4-HMAC encryption is only supported when using a Windows 2003 Server as KDC. From a command prompt, run the ktpass command.
ktpass -out c:\temp\myappserver.keytab  -princ HTTP/myappserver.austin.ibm.com@WSSEC.AUSTIN.IBM.COM  -mapUser myappserver
-mapOp set  -pass was1edu  -crypto RC4-HMAC
-pType KRB5_NT_PRINCIPAL
ktpass for the RC4-HMAC encryption type.
This table identifies and describes the ktpass options for RC4-HMAC encryption
Option Explanation
-out c:\temp\myappserver.keytab The key is written to this output file.
-princ HTTP/myappserver.austin.ibm.com@WSSEC.AUSTIN.IBM.COM The concatenation of the user logon name, and the realm must be in uppercase.
-mapUser The key is mapped to the user, myappserver.
-mapOp This option sets the mapping.
-pass was1edu This option is the password for the user ID.
-crypto RC4-HMAC This option chooses the RC4-HMAC encryption type.
-pType KRB5_NT_PRINCIPAL This option specifies the KRB5_NT_PRINCIPAL principal value. Specify this option to avoid toolkit warning messages.
For the RC4-HMAC-NT encryption type
From a command prompt, run the ktpass command.
ktpass -out c:\temp\myappserver.keytab  -princ HTTP/myappserver.austin.ibm.com@WSSEC.AUSTIN.IBM.COM  -mapUser myappserver  -mapOp set  -pass was1edu  -crypto RC4-HMAC-NT
-pType KRB5_NT_PRINCIPAL
ktpass for the RC4-HMAC encryption type. This table describes
Option Explanation
-out c:\temp\myappserver.keytab The key is written to this output file.
-princ HTTP/myappserver.austin.ibm.com@WSSEC.AUSTIN.IBM.COM The concatenation of the user logon name, and the realm must be in uppercase.
-mapUser The key is mapped to the user, myappserver.
-mapOp This option sets the mapping.
-pass was1edu This option is the password for the user ID.
-crypto RC4-HMAC-NT This option chooses the RC4-HMAC-NT encryption type.
-pType KRB5_NT_PRINCIPAL This option specifies the KRB5_NT_PRINCIPAL principal value. Specify this option to avoid toolkit warning messages.
The Kerberos keytab file is created for use with the SPNEGO TAI.
A Kerberos keytab configuration file contains a list of keys that are analogous to user passwords. It is important for hosts to protect their Kerberos keytab files by storing them on the local disk, which makes them readable only be authorized users.
You make the keytab file available to WebSphere Application Server by copying the krb5.keytab file from the Domain Controller (LDAP machine) to the WAS machine.
ftp> bin
ftp> put c:\temp\KRB5_NT_SEV_HST\krb5.keytab
Results

Your active directory domain controller is properly configured to process single sign on requests to WebSphere Application Server and the SPNEGO TAI

Subtopics

Use the ktab command to manage the Kerberos keytab file
The Kerberos key table manager command (Ktab) allows the product administrator to manage the Kerberos service principal names and keys stored in a local Kerberos keytab file. With the IBM Software Development Kit (SDK) or Sun Java Development Kit (JDK) 1.6 or later, we can use the ktab command to merge two Kerberos keytab files.

Related concepts

Single sign-on for HTTP requests using SPNEGO TAI (deprecated)

Related tasks

Configure WebSphere Application Server and enabling the SPNEGO TAI (deprecated)
Configure JVM custom properties, filtering HTTP requests, and enabling SPNEGO TAI in WebSphere Application Server (deprecated)
Create a single sign-on for HTTP requests using the SPNEGO TAI (deprecated)

Option	Explanation
-out c:\temp\myappserver.keytab	The key is written to this output file.
-princ HTTP/myappserver.austin.ibm.com@WSSEC.AUSTIN.IBM.COM	The concatenation of the user logon name, and the realm must be in uppercase.
-mapUser	The key is mapped to the user, myappserver.
-mapOp	This option sets the mapping.
-pass was1edu	This option is the password for the user ID.
-crypto DES-CBC-MD5	This option uses the single DES encryption type.
-pType KRB5_NT_PRINCIPAL	This option specifies the KRB5_NT_PRINCIPAL principal value. Specify this option to avoid toolkit warning messages.
+DesOnly	This option generates only DES encryptions.