The Keytab file option located in Server Options of Advanced Authentication Administration portal helps you to upload a keytab file. The keytab file contains the encrypted files required for the Advanced Authentication server to authenticate to the selected Active Directory using Kerberos.
Generate a keytab file for Kerberos authentication to the Advanced Authentication server on a Domain Controller. For information on generating a keytab file, see the website.
Sample command to create the keytab file:
ktpass /princ HTTP/aas1.netiq.loc@NETIQ.LOC /mapuser aas1srv@authasas.local /crypto ALL /ptype KRB5_NT_PRINCIPAL /mapop set /pass Q1w2e3r4 /out C:\Temp\keytab_aas1srv
Information about the sample command is as follows:
HTTP in upper-case is mandatory in the parameter for keytab file. For more information, see the website.
aas1 is a server name (according to record in DNS), the domain name is netiq.loc.
aas1srv is a service account specially created in Active Directory for the Advanced Authentication server, Q1w2e3r4 is the password.
The keytab file keytab_aas1srv is created in the folder C:\Temp.
IMPORTANT:If there are multiple Advanced Authentication servers in the cluster, generate a keytab file for each Advanced Authentication server. Different users must be used for the keytab file generation for each server.
Click Upload to select and upload the keytab file.
NOTE:Keytab file can be removed only when an Active Directory repository is selected in the Kerberos SSO Options policy.