...
Creating the keytab with ktpass
Command / parameter |
| ||||
---|---|---|---|---|---|
| ktpass is included in windows 2008 onward and is located in C:\Windows\System32\ | ||||
| HTTP - defines the protocol. HTTP (uppercase) is used regardless of accessing the site with https | ||||
| Maps the Service Principal Name to an Active Directory user account. A unique account for each service should be created. The account should be configured with "Password never expires" and "User cannot change password" checked. | ||||
/pass * | Some password. The password set replaces the user password. | ||||
| The output location of the newly created keytab | ||||
|
| ||||
Get-ADUser command | The Get-ADUser command will set the requested UserPrincipalName potentially bound to another service acocunt to $null. This assures that the new keytab created will work even though the UserPrincipalName was bound to another account from before. It will not do any harm on a first time installation. |
Example command:
Code Block |
---|
Get-ADUser -Filter "UserPrincipalName -like 'HTTP/issues.example.com@EXAMPLE.LOCAL'" | Set-ADUser -UserPrincipalName $null
ktpass /princ HTTP/issues.example.com@EXAMPLE.LOCAL -mapuser EXAMPLE\svc-jira-sso -pass * /out C:\issues.example.com.keytab /ptype KRB5_NT_PRINCIPAL |
ktpass must be run in an elevated command (administrator) PowerShell prompt as a user with domain or enterprise permissions.
...