Create a keytab
- Jon Espen Ingvaldsen (Unlicensed)
- August Heltne
- Ole Kristian Aune (Unlicensed)
- Steinar Line
First, start with a new user object. We recommend using a dedicated user to map an SPN.
When running the ktpass-command, we need a user account to hold the SPN.
Make sure that the password never expires, and the user cannot change the password set.
The details of the new user account.
Creating the keytab with ktpass
Command / parameter |
|
|---|---|
ktpass | ktpass is included in windows 2008 onward and is located in C:\Windows\System32\ |
/princ HTTP/issues.example.com@EXAMPLE.LOCAL | HTTP - defines the protocol. HTTP (uppercase) is used regardless of accessing the site with https |
/mapuser EXAMPLE\svc-jira-sso | Maps the Service Principal Name to an Active Directory user account. A unique account for each service should be created. The account should be configured with "Password never expires" and "User cannot change password" checked. |
/pass * | Some password. The password set replaces the user password. |
/out C:\issues.example.com.keytab | The output location of the newly created keytab |
/ptype KRB5_NT_PRINCIPAL | The general ptype. Recommended by Microsoft. |
Get-ADUser command | The Get-ADUser command will set the requested UserPrincipalName potentially bound to another service acocunt to $null. This assures that the new keytab created will work even though the UserPrincipalName was bound to another account from before. It will not do any harm on a first time installation. |
Example command:
Get-ADUser -Filter "UserPrincipalName -like 'HTTP/issues.example.com@EXAMPLE.LOCAL'" | Set-ADUser -UserPrincipalName $null
ktpass /princ HTTP/issues.example.com@EXAMPLE.LOCAL -mapuser EXAMPLE\svc-jira-sso -pass * /out C:\issues.example.com.keytab /ptype KRB5_NT_PRINCIPALktpass must be run in an elevated (administrator) PowerShell prompt as a user with domain or enterprise permissions.
