Creating a Kerberos keytab using ktpass
Microsoft’s ktpass utility can be used to create a Kerberos keytab.
About this task
Procedure
To create a Kerberos keytab using ktpass, perform the following steps. Substitute appropriate values for the italicized text depending on the name of the identity account, its password or where the keytab should be created. Running this might produce warning messages, which you can ignore.
Results
The -kvno 0 option in the above command lines is there to avoid "Specified version of the key is not available" errors that will occur in some versions of the JVM if the key version number (kvno) in the keytab does not match that in the Active Directory server for the identity user’s password.
Be careful with the case of letters used for the identity account’s name as well as the password in the ktpass command. The case of the name should be exactly as it is shown in the User logon name (pre-Windows 2000) field of the identity account as shown in Microsoft’s Active Directory Users and Computers MSC snap-in. Having the wrong case could cause failures later and require that ktpass be rerun. Do not use the SPN (with the "/") name in this command; use the name of the identity user (with the "_").
Additional help for ktpass can be had by entering this on the command line: ktpass/help
Many setups for SPNEGO use the -mapuser option with ktpass, but you should not use this option. Using -mapuser changes the userPrincipalName setting for the identity user’s account and causes the Content Platform Engine’s special TGT login to fail. If -mapuser was used, or to find out whether it was used inadvertently, run the Active Directory Users and Computers MSC snap-in, open the Properties of the identity user account and select the Account pane. If the "User login name" field now reads something like FNCEWS/myhost (notice the "/" instead of a "_"), then it should be changed.
Windows 2003 versions of ktpass do not include RC4-HMAC-NT as an option; if RC4-HMAC encryption is to be used, then a later version of ktpass must be run or the ktab method must be used to create the keytab.
Ktpass will create or append new keytab entries to the file specified in its -out option. This file might have to be moved in later steps so it is accessible to the Content Platform Engine.