Create a keytab

First, start with a new user object. We recommend using a dedicated user to map an SPN.

When running the ktpass-command, we need a user account to hold the SPN. 

Make sure that the password never expires, and the user cannot change the password set.

The details of the new user account.

Creating the keytab with ktpass 

Command / parameter

 

Command / parameter

 

1 ktpass

ktpass is included in windows 2008 onward and is located in C:\Windows\System32\

1 /princ HTTP/issues.example.com@EXAMPLE.LOCAL 

HTTP - defines the protocol. HTTP (uppercase) is used regardless of accessing the site with https
issues.example.com - Host part must match the hostname of your service
@EXAMPLE.COM - Realm name must match your Active Directory name written in uppercase 

1 /mapuser EXAMPLE\svc-jira-sso 

Maps the Service Principal Name to an Active Directory user account. A unique account for each service should be created. The account should be configured with "Password never expires" and "User cannot change password" checked.

/pass * 

Some password. The password set replaces the user password.

1 /out C:\issues.example.com.keytab 

The output location of the newly created keytab

1 /ptype KRB5_NT_PRINCIPAL
1 The general ptype. Recommended by Microsoft.

 

 Example command:

1 ktpass /princ HTTP/issues.example.com@EXAMPLE.LOCAL -mapuser EXAMPLE\svc-jira-sso -pass * /out C:\issues.example.com.keytab /ptype KRB5_NT_PRINCIPAL

ktpass must be run in an elevated command prompt as a user with domain or enterprise permissions.