The keytab file contains the secret encryption key that is used to decrypt the Kerberos ticket. You need to generate the keytab file and copy it to Identity Server.
On the Active Directory server, open a command window and enter a ktpass command with the following parameters:
ktpass /out value /princ value /mapuser value /pass value /pType KRB5_NT_PRINCIPAL
The command parameters require the following values:
Parameter |
Value |
Description |
---|---|---|
/out |
<outputFilename> |
Specify a name for the file, with .keytab as the extension. For example: nidpkey.keytab |
/princ |
<servicePrincipalName> @<KERBEROS_REALM> |
Specify the service principal name for Identity Server, then @, followed by the Kerberos realm. The default value for the Kerberos realm is the Active Directory domain name in all capitals. The Kerberos realm value is case sensitive. |
/mapuser |
<identityServerUser>@<AD_DOMAIN> |
Specify the username of Identity Server user and the Active Directory domain to which the user belongs. |
/pass |
<userPassword> |
Specify the password for this user. |
/pType |
<principalType> |
Specify the principal type as KRB5_NT_PRINCIPAL. |
For this configuration example, specify the following command to create a keytab file named nidpkey:
ktpass /out nidpkey.keytab /princ HTTP/amser.nam.example.com@AD. EXAMPLE.COM /mapuser amser@AD.EXAMPLE.COM /pass example /pType KRB5_NT_PRINCIPAL
Add the file to /opt/novell/java/jre/lib/security on Identity Server. For information about how to add a file, see Section 4.2.1, Adding Configurations to a Cluster.