Create a Keytab with AES
- Jon Espen Ingvaldsen (Unlicensed)
- August Heltne
- Ole Kristian Aune (Unlicensed)
Why should I consider using AES encryption?
While the default RC4-HMAC is the most compatible encryption type, it is no longer considered to offer strong encryption.
For this reason, we recommend that you use AES-128 or AES-256 encryption instead.
Prerequisites for using AES encryption
Prerequisites / Tasks |
|
|---|---|
AES must be enabled on the user account that holds the SPN. |  |
Domain functional level must be 2008 or higher. | Domain functional level before 2008 does not support AES encryption. To find the domain functional level, right-click on the root of the domain, and choose properties.  |
Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files must be in place | Replace local_policy.jar and US_export_policy.jar in $JAVA/HOME/jre/lib/security/ The service must be restarted to apply the new policies. |
Creating a keytab with AES.
Enable AES 128 or AES 256 on the user account
(Re)Create the keytab with support for AES.
ktpass -princ HTTP/issues.example.com@EXAMPLE.LOCAL /mapuser EXAMPLE\svc-jira-sso-pass * /out C:\issues.example.com.keytab /ptype KRB5_NT_PRINCIPAL /crypto AES256-SHA1Upload the new keytab file to our plugin.
Purge tickets
Recreating keytabs with new versions or different encryption types will make Kerberos fail for clients that already have a ticket. Logging out or running "klist purge" on the command line will make clients acquire a new ticket with AES-256
Example:
The first command in the picture below issues a keytab for issues.example.com. This keytab has "vno 3," meaning key version number (kvno) 3.
The second command is run after the user object has AES256 enabled. A new version of the keytab is issued (vno 4).