Kerberos - KeyTab (Key Table)

> Software Security > (Authentication|Access control|Identification) - AuthN > Kerberos

1 - About

All Kerberos server machines need a keytab file to authenticate to the KDC.

A keytab file contains one or more shared secret key.

A service will use a keytab file in much the same way as a user uses his/her password.


3 - Default Location


4 - Operating System

4.1 - Windows

  • Use the setspn command to map the Kerberos service principal name, HTTP/<host name>, to a Microsoft user account. An example of setspn usage is as follows:
C:\Program Files\Support Tools>
setspn -A HTTP/ myappserver
ktab.exe –k keytab-file-name –a account-name@REALM.NAME

(NB realm name must be specified in capitals).

4.2 - Linux

To generate a .keytab file for a host computer that is not running the Windows operating system,

  • Connect to the AD domain controller
  • map the principal to the account and set the host principal password with ktpass
ktpass /princ host/[email protected] /mapuser Sample1 /pass MyPas$w0rd /out Sample1.keytab /crypto all /ptype KRB5_NT_PRINCIPAL /mapop set
  • Merge the .keytab file with the /Etc/Krb5.keytab file on a host computer that is not running the Windows operating system.

5 - Documentation / Reference

security/auth/kerberos/keytab.txt · Last modified: 2019/04/26 20:21 by gerardnico