14.4 Uploading a Keytab File

The Keytab file option located in Server Options of Advanced Authentication Administration portal helps you to upload a keytab file. The keytab file contains the encrypted files required for the Advanced Authentication server to authenticate to the selected Active Directory using Kerberos.

  1. Generate a keytab file for Kerberos authentication to the Advanced Authentication server on a Domain Controller. For information on generating a keytab file, see the website.

    Sample command to create the keytab file:

    ktpass /princ HTTP/aas1.netiq.loc@NETIQ.LOC /mapuser aas1srv@authasas.local /crypto ALL /ptype KRB5_NT_PRINCIPAL /mapop set /pass Q1w2e3r4 /out C:\Temp\keytab_aas1srv

    Information about the sample command is as follows:

    • HTTP in upper-case is mandatory in the parameter for keytab file. For more information, see the website.

    • aas1 is a server name (according to record in DNS), the domain name is netiq.loc.

    • aas1srv is a service account specially created in Active Directory for the Advanced Authentication server, Q1w2e3r4 is the password.

    • The keytab file keytab_aas1srv is created in the folder C:\Temp.

    IMPORTANT:If there are multiple Advanced Authentication servers in the cluster, generate a keytab file for each Advanced Authentication server. Different users must be used for the keytab file generation for each server.

  2. Click Upload to select and upload the keytab file.

NOTE:Keytab file can be removed only when an Active Directory repository is selected in the Kerberos SSO Options policy.