10.2.13.5.2.3. Create the keytab file

The following steps are required to create a keytab file, which is used later in the IAM configuration. The following PowerShell function simplifies the creation steps:

PowerShell: Helper function to create a keytab file

copy
function create_keytab_file ($_princ, $_mapuser, $_etype, $_password, $_outfile) {
    $_tmp_file = $_outfile + ".tmp"
    $_tmp_file_name = [System.IO.Path]::GetFileName($_tmp_file)
     
    If (Test-Path ${_outfile}) {
        If (Test-Path ${_tmp_file}) { Remove-Item ${_tmp_file} }
        Rename-Item -Path $_outfile -NewName ${_tmp_file_name}
         
        ktpass /in ${_tmp_file} `
            /out ${_outfile} `
            /princ ${_princ} `
            /mapuser ${_mapuser} `
            /ptype KRB5_NT_PRINCIPAL `
            /crypto ${_etype} `
            /DumpSalt `
           /pass ${_password}
    }
    Else {
        ktpass /out ${_outfile} `
            /princ ${_princ} `
            /mapuser ${_mapuser} `
            /ptype KRB5_NT_PRINCIPAL `
            /crypto ${_etype} `
            /DumpSalt `
            /pass ${_password}
    }
     
    If (Test-Path ${_tmp_file}) { Remove-Item ${_tmp_file} }
}

To create the keytab file, do the following:

  • 1.
    Sign in as Domain Administrator on the Domain Controller.
  • 2.
    Open a PowerShell and copy & paste the helper function above.
  • 3.
    Run the following command to create a keytab file for the SPN HTTP/a.airlock.com:
    • copy
    $systemuser_password = "STRONG_PASSWORD"
$keytab_file = "C:\tmp\airlock.com.keytab"
$etype = "AES256-SHA1"

create_keytab_file HTTP/a.airlock.com@AIRLOCK.COM `
    syskerb-airlock-a@AIRLOCK.COM `
    ${etype} `
    ${systemuser_password} `
    ${keytab_file}

The example below shows how to create a keytab file containing more than one SPN. Assume that the SPN HTTP/b.airlock.com is registered to the syskerb-airlock-b user.

Example: How to create a keytab file with more than one SPN

$systemuser_password = "STRONG_PASSWORD"
$keytab_file = "C:\tmp\airlock.com.keytab"
$etype = "AES256-SHA1"

create_keytab_file HTTP/a.airlock.com@AIRLOCK.COM `
    syskerb-airlock-a@AIRLOCK.COM `
    ${etype} `
    ${systemuser_password} `
    ${keytab_file}

create_keytab_file HTTP/b.airlock.com@AIRLOCK.COM `
    syskerb-airlock-b@AIRLOCK.COM `
    ${etype} `
    ${systemuser_password} `
    ${keytab_file}

Keep in mind that the keytab file contains sensitive key material and should be protected appropriately.