Versions Compared

Version Old Version 1 New Version Current
Changes made by

Sri Raghu

Alex Mandel

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

You can use the Ktpass tool to generate and export the keytab file for the Kerberos account. Note that the version of the Ktpass tool that you use must match the Windows version of the domain controller. For example, if you are using a domain controller running Windows Server 2012 R2, Windows Server 2016 or Windows Server 2019, you must use the Ktpass tool for the particular version. You enter different commands for generating and exporting the keytab file, depending on whether you are generating the keytab file from a server running Windows Server 2012 R2, Windows Server 2016 or Windows Server 2019. A Windows Server 2012 R2, Windows Server 2016 or Windows Server 2019 allows you to generate a keytab file with multiple keys for one principal. This is useful when the KDC has principals with multiple encryption types. BloxOne Universal DDI can send and receive DDNS updates using GSS-TSIG.

...

Note

The keytab file contains highly sensitive data for your BloxOne Universal DDI account. Ensure that you store and transport its contents securely.

...

  1. Start a command prompt.

  2. Enter the following command to generate the keytab file for the BloxOne Universal DDI user account:

    ktpass -princ username@REALMexampleuser@REALM -mapuser logon_name@REALM 
    -pass password -out my.tab -ptype krb5_nt_principal -crypto encryption
    Example: 
    ktpass -princ DNS/ns1.corpxyzexample.com@GSS.LOCAL -mapuser jsmith@GSS.LOCAL -pass 
    37Le37 -out ns1.keytab -ptype krb5_nt_principal -crypto RC4-HMAC-NT

    where:
    -princ = Kerberos principal. Note that this parameter is case-sensitive. Specifies the principal name for the host NIOS-X Server or service in this format: DNS/ns1.corpxyzexample.com@GSS.LOCAL

  • DNS = Service name in uppercase format.
  • ns1.corpxyzexample.com = Instance in FQDN (fully-qualified domain name) format; this is the same as the DNS name of the hostNIOS-X Server.
  • GSS.LOCAL = The Kerberos realm in uppercase format. This must be the same as the AD domain name.

...

  • jsmith = The AD user name for BloxOne Universal DDI user account.
  • GSS.LOCAL = The Kerberos realm in uppercase. The realm (or domain name) must be the same as that specified in the -princ option.

...

  • 37Le37 = The password of the user account for BloxOne Universal DDI.

-out = The name of the keytab file that is generated.

...

Targeting domain controller: qacert.test.local

Using legacy password setting method

Successfully mapped DNS/ns1.corpxyzexample.com to ns1.

Key created.

Output keytab to ns1.keytab: Keytab version: 0x502

keysize 80 DNS/ns1.corpxyzexample.com@GSS.LOCAL ptype 1 (KRB5_NT_PRINCIPAL) vno 3 etype 0x12 (AES256-SHA1)

keylength 32 (0xea8675d7abf13fd760a744088642fb917ceb6c9d267f5c54e595597846f06407)

...

  1. Start a command prompt.
  2. Enter the following command to generate the keytab file for BloxOne Universal DDI user account:

ktpass -princ usernameexampleuser@REALM -mapuser logon_name@REALM -pass password -out my.tab -ptype krb5_nt_principal -crypto encryption
Example:
ktpass -princ DNS/ns1.corpxyzexample.com@GSS.LOCAL -mapuser jsmith@GSS.LOCAL -pass 37Le37 -out ns1.keytab -ptype krb5_nt_principal -crypto RC4-HMAC-NT
where:
-princ = Kerberos principal. Note that this parameter is case-sensitive. Specifies the principal name for the host NIOS-X Server or service in this format: DNS/ns1.corpxyzexample.com@GSS.LOCAL

    • DNS = This is an example of the service name in uppercase format.
    • ns1.corpxyzexample.com = This is an example of the instance in FQDN (fully-qualified domain name) format; this is the same as the DNS name of the hostNIOS-X Server.
    • GSS.LOCAL = This is an example of the Kerberos realm in uppercase format. This must be the same as the AD domain name.

...

    • jsmith = This is an example of the AD user name for BloxOne Universal DDI user account.
    • GSS.LOCAL = This is an example of the Kerberos realm in uppercase. The realm (or domain name) must be the same as that specified in the -princ option.

...

    • 37Le37 = This is an example of the password of the user account for BloxOne Universal DDI.

-out = The name of the keytab file that is generated.

...

Targeting domain controller: qacert.test.local

Using legacy password setting method

Successfully mapped DNS/ns1.corpxyzexample.com to ns1.

Key created.

Output keytab to ns1.keytab:

Keytab version: 0x502

keysize 80 DNS/ns1.corpxyzexample.com@GSS.LOCAL ptype 1 (KRB5_NT_PRINCIPAL) vno 3 etype 0x12 (AES256-SHA1)

keylength 32 (0xea8675d7abf13fd760a744088642fb917ceb6c9d267f5c54e595597846f06407)

You can use the Ktpass tool to generate and export the keytab file for the Kerberos account. Note that the version of the Ktpass tool that you use must match the Windows version of the domain controller. For example, if you are using a domain controller running Windows Server 2012 R2, Windows Server 2016 or Windows Server 2019, you must use the Ktpass tool for the particular version. You enter different commands for generating and exporting the keytab file, depending on whether you are generating the keytab file from a server running Windows Server 2012 R2, Windows Server 2016 or Windows Server 2019. A Windows Server 2012 R2, Windows Server 2016 or Windows Server 2019 allows you to generate a keytab file with multiple keys for one principal. This is useful when the KDC has principals with multiple encryption types. BloxOne Universal DDI can send and receive DDNS updates using GSS-TSIG.

...

Note

The keytab file contains highly sensitive data for your BloxOne Universal DDI account. Ensure that you store and transport its contents securely.

...

  1. Start a command prompt.

  2. Enter the following command to generate the keytab file for the BloxOne Universal DDI user account:

    ktpass -princ username@REALMexampleuser@REALM -mapuser logon_name@REALM 
    -pass password -out my.tab -ptype krb5_nt_principal -crypto encryption
    Example: 
    ktpass -princ DNS/ns1.corpxyzexample.com@GSS.LOCAL -mapuser jsmith@GSS.LOCAL -pass 
    37Le37 -out ns1.keytab -ptype krb5_nt_principal -crypto RC4-HMAC-NT

    where:
    -princ = Kerberos principal. Note that this parameter is case-sensitive. Specifies the principal name for the host NIOS-X Server or service in this format: DNS/ns1.corpxyzexample.com@GSS.LOCAL

  • DNS = Service name in uppercase format.
  • ns1.corpxyzexample.com = Instance in FQDN (fully-qualified domain name) format; this is the same as the DNS name of the hostNIOS-X Server.
  • GSS.LOCAL = The Kerberos realm in uppercase format. This must be the same as the AD domain name.

...

  • jsmith = The AD user name for BloxOne Universal DDI user account.
  • GSS.LOCAL = The Kerberos realm in uppercase. The realm (or domain name) must be the same as that specified in the -princ option.

...

  • 37Le37 = The password of the user account for BloxOne Universal DDI.

-out = The name of the keytab file that is generated.

...

Targeting domain controller: qacert.test.local

Using legacy password setting method

Successfully mapped DNS/ns1.corpxyzexample.com to ns1.

Key created.

Output keytab to ns1.keytab: Keytab version: 0x502

keysize 80 DNS/ns1.corpxyzexample.com@GSS.LOCAL ptype 1 (KRB5_NT_PRINCIPAL) vno 3 etype 0x12 (AES256-SHA1)

keylength 32 (0xea8675d7abf13fd760a744088642fb917ceb6c9d267f5c54e595597846f06407)

...

  1. Start a command prompt.
  2. Enter the following command to generate the keytab file for BloxOne Universal DDI user account:

ktpass -princ username exampleuser@REALM -mapuser logon_name@REALM -pass password -out my.tab -ptype krb5_nt_principal -crypto encryption
Example:
ktpass -princ DNS/ns1.corpxyzexample.com@GSS.LOCAL -mapuser jsmith@GSS.LOCAL -pass 37Le37 -out ns1.keytab -ptype krb5_nt_principal -crypto RC4-HMAC-NT
where:
-princ = Kerberos principal. Note that this parameter is case-sensitive. Specifies the principal name for the host NIOS-X Server or service in this format: DNS/ns1.corpxyzexample.com@GSS.LOCAL

    • DNS = This is an example of the service name in uppercase format.
    • ns1.corpxyzexample.com = This is an example of the instance in FQDN (fully-qualified domain name) format; this is the same as the DNS name of the hostNIOS-X Server.
    • GSS.LOCAL = This is an example of the Kerberos realm in uppercase format. This must be the same as the AD domain name.

...

    • jsmith = This is an example of the AD user name for BloxOne Universal DDI user account.
    • GSS.LOCAL = This is an example of the Kerberos realm in uppercase. The realm (or domain name) must be the same as that specified in the -princ option.

...

    • 37Le37 = This is an example of the password of the user account for BloxOne Universal DDI.

-out = The name of the keytab file that is generated.

...

Targeting domain controller: qacert.test.local

Using legacy password setting method

Successfully mapped DNS/ns1.corpxyzexample.com to ns1.

Key created.

Output keytab to ns1.keytab:

Keytab version: 0x502

keysize 80 DNS/ns1.corpxyzexample.com@GSS.LOCAL ptype 1 (KRB5_NT_PRINCIPAL) vno 3 etype 0x12 (AES256-SHA1)

keylength 32 (0xea8675d7abf13fd760a744088642fb917ceb6c9d267f5c54e595597846f06407)