Generating keytab files:
ktpass /out PRIMARY.keytab /princ HTTP/sso.test.com@PRIMARY.COM /mapuser nm093secidp01@PRIMARY.COM /pass N0v3ll@12 /crypto RC4-HMAC-NT /ptype KRB5_NT_PRINCIPAL /kvno 0
ktpass /out OTHER.keytab /princ HTTP/sso.test.com@OTHER.COM /mapuser nm093secidp01@OTHER.COM /pass N0v3ll@12 /crypto RC4-HMAC-NT /ptype KRB5_NT_PRINCIPAL /kvno 0
Merging Key tab files:
If you have multiple keytab files that need to be in one place, you can merge the keys with the
Make sure configuration you do in bcsLogin.conf is required by the service to read the merged keytab information.
Add both the user stores (PRIMARY.COM and OTHER.COM) in the IDP cluster.
UPN presented in the ticket to search for the user, and that the UPN suffix list would configure to accept different UPN suffixes.
Enter only the second domain in the UPN Suffixes, in our case it’s OTHER.com and add both the user stores in Kerberos Methods.
Note: Implementation procedures on Windows 2008 R2 are basically the same as with other Windows versions. However, since DES cipher by default is disabled in Windows 2008 R2. Enable DES cipher support on Windows 2008 R2. See the following tech note from Microsoft:
Disclaimer: As with everything else at NetIQ Cool Solutions, this content is definitely not supported by NetIQ, so Customer Support will not be able to help you if it has any adverse effect on your environment. It just worked for at least one person, and perhaps it will be useful for you too. Be sure to test in a non-production environment.