How to create a keytab file on a Domain Controller for an SSO setup
In order to set up an SSO, you might need to create a keytab file on a Domain Controller. In this article, we’ll explain in a few simple steps how to achieve this.
- Create a domain user that will be used for creating a keytab file. Make sure to check both checkboxes “User cannot change password” and “Password never expires“. Please have in mind that only one keytab file per user is allowed. In case you need more keytab files additional users have to be created.
- Start Command Prompt (CMD) in elevated mode (Run as Administrator) and type the following command.
- ktpass -princ HTTP/FQDN@domainname -mapuser username -crypto ALL -ptype KRB5_NT_PRINCIPAL -pass pa$$w0rd -target FQDNofDC -out host.keytab
Replace FQDN@domainname with a Fully Qualified Domain Name@domainname of the target machine/application server. Example: firstname.lastname@example.org
Replace username with a username of the user you have created for this purpose in step 1.
Replace pa$$w0rd with the password you have specified for this user in step 1.
Replace FQDNofDC with Fully Qualified Name of your Domain Controller. Ex: Brisbane.contoso.com
You can also change the host.keytab file name if you wish.
You should receive a command completed successfully message with additional information regarding the newly created keytab file. Even though you have received a successful completion message you should also check if the SPN has been appropriately set for the application server with the following command:
setspn -Q */FQDN
example: setspn -Q */melbourne.contoso.com
where Melbourne is the application server name. You should receive the Existing SPN found message.
If not specified, the keytab file will be created in the C:\Windows\System32 directory which is a default location of command prompt app.
That’s it. Hopefully, this article will help you to create a keytab file on a Domain Controller.
Please share your thoughts or suggestions in the comments section below.