Versions Compared


  • This line was added.
  • This line was removed.
  • Formatting was changed.


  • You need to support more than one Active Directory domain, but the domains are not in a trust relationship

  • You need to support more than one hostname / SPN (some clients, like for instance Git clients, do not canonicalize CNAMES) 

  • You want to support more than one encryption type


In the example below, we want to enable Kerberos SSO for users in the two domains example.local and

After creating the first keytab, the keytab file is transferred to the other domain controller where a new key is produced and added to the keytab.


First, create a keytab file in the KERBAUTH.COM domain.

Code Block
ktpass /out c:\issues-KERBAUTH.keytab /mapuser KERBAUTH\svc-jira-sso /princ HTTP/ /pass * /ptype KRB5_NT_PRINCIPAL


Merge two or more keys to one keytab file

In the below example, we have two keys: and issues-KERBAUTH.keytab