Versions Compared

Old Version 1

changes.mady.by.user Jon Espen Ingvaldsen

Saved on

compared with

New Version 2

changes.mady.by.user Ole Kristian Aune

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

First, start off with a new user object. We recommend using a dedicated user for the purpose of mapping to map an SPN.

When running the ktpass-command, we need a user account to hold the SPN. 

...

Make sure that the password never expires, and the user cannot change the password are set.

...

The details  of of the new user account.

...

Creating the keytab with ktpass 

Command / parameter

 

Code Block
ktpass

ktpass is included in widows windows 2008 onward and is located in C:\Windows\System32\

Code Block
/princ HTTP/issues.example.com@EXAMPLE.LOCAL 

HTTP - defines the protocol. HTTP (uppercase) is used regardless of accessing the site with https
issues.example.com - Host part must match host name the hostname of your service
@EXAMPLE.COM - Realm name must match your Active Directory name written in uppercase 

Code Block
/mapuser EXAMPLE\svc-jira-sso 

Maps the Service Principal name Name to an Active Directory user account. A unique account for each service should be created. The account should be configured with "Password never expires" and "User cannot change password" checked.

/pass * 

Some password. The password set , replaces the user password.

Code Block
/out C:\issues.example.com.keytab 

The output location of the newly created keytab

Code Block
/ptype KRB5_NT_PRINCIPAL
Code Block
The general ptype. Recommended by Microsoft.

...