You can create one user account to authenticate at multiple Central Node servers. Service principal name (SPN)To do so, you must create a keytab file that contains service principal names (hereinafter also SPN) for each of these servers. When you create the keytab file, you must use an attribute to generate a salt (hash function input modifier).
The generated salt must be saved in any convenient way for adding more SPNs to the keytab file in the future.
You can also create a separate Active Directory user account for each Central Node server for which you want to set up Kerberos authentication.
To create a keytab file using one user account:
control-user as its name).control-user user. To do so, run the following command on the command line:C:\Windows\system32\ktpass.exe -princ HTTP/<fully qualified domain name (FQDN) of the Central Node server>@<realm name of the Active Directory domain in uppercase> -mapuser control-user@<realm name of the Active Directory domain in uppercase> -crypto AES256-SHA1 -ptype KRB5_NT_PRINCIPAL -pass * +dumpsalt -out <path to the file>\<file name>.keytab
The utility requests the control-user password when executing the command.
The SPN of the selected server is added to the created keytab file. The generated salt is displayed on screen: Hashing password with salt "<hash value>".
C:\Windows\system32\ktpass.exe -princ HTTP/<fully qualified domain name (FQDN) of the Central Node server>@<realm name of the Active Directory domain in uppercase> -mapuser control-user@<realm name of the Active Directory domain in uppercase> -crypto AES256-SHA1 -ptype KRB5_NT_PRINCIPAL -pass * -in <path and name of the previously created file>.keytab -out <path and new name>.keytab -setupn -setpass -rawsalt "<hash value of the salt obtained when creating the keytab file at step 3>"
The utility requests the control-user password when executing the command.
The keytab file is created. This file contains all added SPNs of selected servers.
Example: For example, you need to create a keytab file containing SPN names of 3 servers: To create a
Let's say you got To add another SPN, run the following command:
To add a third SPN:
This creates a |
To create a keytab file using a separate account for each Central Node server:
control-user, secondary1-user, secondary2-user, etc).control-user user. To do so, run the following command on the command line:C:\Windows\system32\ktpass.exe -princ HTTP/<fully qualified domain name (FQDN) of the Central Node server>@<realm name of the Active Directory domain in uppercase> -mapuser control-user@<realm name of the Active Directory domain in uppercase> -crypto AES256-SHA1 -ptype KRB5_NT_PRINCIPAL -pass * -out <path to the file>\<file name>.keytab
The utility requests the control-user password when executing the command.
The SPN of the selected server is added to the created keytab file.
C:\Windows\system32\ktpass.exe -princ HTTP/<fully qualified domain name (FQDN) of the Central Node server>@<realm name of the Active Directory domain in uppercase> -mapuser secondary1-user@<realm name of the Active Directory domain in uppercase> -crypto AES256-SHA1 -ptype KRB5_NT_PRINCIPAL -pass * -in <path and name of the previously created file>.keytab -out <path and new name>.keytab
The utility requests the secondary1-user password when executing the command.
The keytab file is created. This file contains all added SPNs of selected servers.
Example: For example, you need to create a keytab file containing SPN names of 3 servers: To create a
To add another SPN, run the following command:
To add a third SPN:
This creates a |