Monday, 16 January 2012

WebSphere Application Server and Kerberos - Stuff I did not know ....

Number #1223

It is *NOT* necessary to use BOTH the setspn and ktpass commands when hooking the Service Principal Name (SPN) and the service account together, in order to generate the Kerberos keytab: -

You may notice in the WebSphere documentation the usage of the setspn command before ktpass is issued. When you use ktpass with the –mapUser flag, the SPN is set automatically, so you don't actually need to issue the setspn command beforehand in this case. The examples in the later sections of this document show how setspn is used, but you don't need to worry about it right now. You may also note the documentation referring to the –mapOp flag as well. Again, you don't need to worry about that in this example and it will be discussed later on.
In other words, here's an SPN I created earlier: -


and here's the service account: -

ibm.connections

and here's the password: -

passw0rd

so here's a SINGLE command to create the SPN and generate the keytab: -

ktpass -princ  HTTP/www.connections.ibm.com@IBM.COM -out c:\temp\keytab.txt -mapuser ibm.connections -mapOp set -pass passw0rd -ptype KRB5_NT_PRINCIPAL

and here's the command to list the SPNs for the ibm.connections service account: -

setspn -l ibm.connections

If I wanted to delete the SPNs, I'd do this: -

setspn -l ibm.connections

If I then wanted to add a second SPN: -


to the same service account, I'd do this: -

ktpass -princ  HTTP/www.portal.ibm.com@IBM.COM -out c:\temp\keytab.txt -mapuser ibm.connections -mapOp add -pass passw0rd -ptype KRB5_NT_PRINCIPAL

In other words, I'd use -mapOp add rather than -mapOp set as this is a second SPN.

Neat-o

1 comment:

whale said...

You really should think about using a random password when you run the ktpass command:

ktpass -out my.keytab -princ myuser@mydomain.com -mapUser myuser@mydomain.com -mapOp set -minPass 7 -maxPass 10 +rndPass -crypto DES-CBC-MD5 -pType KRB5_NT_PRINCIPAL +DesOnly

The fact that nobody knows the password is a good thing, as nobody needs to know! Bear in mind though, if there are password policies set on password creation, this command may fail. You need to retry the command until it works. Though you still wont know the password.