Versions Compared

Old Version 3

changes.mady.by.user Steinar Line

Saved on

compared with

New Version 4

changes.mady.by.user Steinar Line

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Info

This functionality of merging keytabs is since version 2.8.0 built into Kantega SSO Enterprise. Therefore this guide is only here for historical purposes. The information on the page is still relevant if you need to use ktutil to merge keytab files in other cases.

Background

Kantega SSO can be used with keytab files containing any number of Kerberos keys.

...

  • You need to support more than one Active Directory domain, but the domains are not in a trust relationship

  • You need to support more than one host name hostname / SPN (some clients do not canonicalize CNAMES) 

  • You want to support more than one encryption type

...

If there is a trust relationship between your domains, please read read about Cross-domain trust instead.

Merging keys using Kantega SSO

...

All you need to do is to select "Add to existing keytab" when uploading keytab files.

https://docs.kantega.no/download/attachments/76252144/Skjermbilde 2018-08-30 13.02.55.png?version=1&modificationDate=1565875626984&api=v2

...


Info

The functionality of merging keytabs is since version 2.8.0 built into Kantega SSO. Therefore the guide below is only here for historical purposes. The page is relevant if you need to merge keytab files for other purposes.

Merge keytab files using external tools

If you need to merge keytab files for use outside our add-onKantega SSO, here are two ways of doing it: 

Merge using ktpass with the /in parameter

In the example below, we want to enable Kerberos SSO for users in the two domains example.local and kerbauth.com

After creating the first keytab the keytab file is transferred to conf the other domain controller where a new key is produced and added to the keytab.

The output is a new keytab file with keys from both domains.

In both domains, we need to create a separate user account (mapuser) for mapping the SPN.

...

First, create a keytab file in the KERBAUTH.COM domain.

Code Block
ktpass /out c:\issues-KERBAUTH.keytab /mapuser KERBAUTH\svc-jira-sso /princ HTTP/issues.example.com@KERBAUTH.COM /pass * /ptype KRB5_NT_PRINCIPAL

...

Code Block
ktpass /out EXAMPLE-merged-with-KERBAUTH.keytab /mapuser EXAMPLE\svc-jira-sso /princ HTTP/issues.example.com@EXAMPLE.LOCAL /pass * /ptype KRB5_NT_PRINCIPAL /in c:\issues-KERBAUTH.keytab

Image Modified

Merge using ktutil Linux/Unix command-line tool

ktutil is a linux Linux command most commonly found in the krb5-workstation package. The advantages advantage of using ktutil is that instead of adding SPN to an existing keytab file, it can be used to merge two Keytabs without increasing the version number of the SPN.

It also supports updating the Keytab file with multiple versions of an SPN, which can be useful in cases where multiple versions of the same SPN must coexist, like when changing encryption types.

Merge two or more keys to one keytab file

In the below example we have two keys: issues issues.example.com.keytab and issues-KERBAUTH.keytab

  • We use ktutil to read both keys (read_kt)

  • We output the keyts keys to a single file (write_kt)

  • The output is one merged file: merged_keytab_file.keytab

...