It is *NOT* necessary to use BOTH the setspn and ktpass commands when hooking the Service Principal Name (SPN) and the service account together, in order to generate the Kerberos keytab: -
You may notice in the WebSphere documentation the usage of the setspn command before ktpass is issued. When you use ktpass with the –mapUser flag, the SPN is set automatically, so you don't actually need to issue the setspn command beforehand in this case. The examples in the later sections of this document show how setspn is used, but you don't need to worry about it right now. You may also note the documentation referring to the –mapOp flag as well. Again, you don't need to worry about that in this example and it will be discussed later on.
In other words, here's an SPN I created earlier: -
and here's the service account: -
ibm.connections
and here's the password: -
passw0rd
so here's a SINGLE command to create the SPN and generate the keytab: -
ktpass -princ HTTP/www.connections.ibm.com@IBM.COM -out c:\temp\keytab.txt -mapuser ibm.connections -mapOp set -pass passw0rd -ptype KRB5_NT_PRINCIPAL
and here's the command to list the SPNs for the ibm.connections service account: -
setspn -l ibm.connections
If I wanted to delete the SPNs, I'd do this: -
setspn -l ibm.connections
If I then wanted to add a second SPN: -
to the same service account, I'd do this: -
ktpass -princ HTTP/www.portal.ibm.com@IBM.COM -out c:\temp\keytab.txt -mapuser ibm.connections -mapOp add -pass passw0rd -ptype KRB5_NT_PRINCIPAL
In other words, I'd use -mapOp add rather than -mapOp set as this is a second SPN.
Neat-o
1 comment:
You really should think about using a random password when you run the ktpass command:
ktpass -out my.keytab -princ myuser@mydomain.com -mapUser myuser@mydomain.com -mapOp set -minPass 7 -maxPass 10 +rndPass -crypto DES-CBC-MD5 -pType KRB5_NT_PRINCIPAL +DesOnly
The fact that nobody knows the password is a good thing, as nobody needs to know! Bear in mind though, if there are password policies set on password creation, this command may fail. You need to retry the command until it works. Though you still wont know the password.
Post a Comment