Create a Kerberos service principal and keytab file that is used by the WebSphere Application Server SPNEGO TAI

Operating Systems: i5/OS
Personalize the table of contents and search results

Create a Kerberos service principal and keytab file that is used by the WebSphere Application Server SPNEGO TAI

You perform this configuration task on the Microsoft Active Directory domain controller machine. This task is a necessary part of preparing to process single sign on browser requests to WebSphere Application Server and thee SPNEGO trust association interceptor (TAI). You need to have a running domain controller and at least one client machine in that domain.

Overview

This task is performed on the active directory domain controller machine. Complete the following steps to ensure that the Microsoft Windows 2000 or Windows 2003 Server that is running the active directory domain controller is configured properly to the associated key distribution center (KDC).

Procedure

Create a user account in the Microsoft Active Directory for the WebSphere Application Server.
Click Start->Programs->Administrative Tools->Active Directory Users and Computers Use the name for the WebSphere Application Server. For example, if the Application Server you are running on the WebSphere Application Server machine is called myappserver.austin.ibm.com, create a new user in Active Directory called myappserver.
Do not select "User must change password at next logon."
Verify you do not have the computer name myappserver under Computers and Domain Controllers (You check for this condition as illustrated below.). If you already have a computer name myappserver, then you need to create a different user account name.
- Goto Start -> Programs -> Administrative Tools -> Active Directory Users and Computers->Computers
- Goto Start -> Programs -> Administrative Tools -> Active Directory Users and Computers->Domain Controllers
Use the setspn command to map the Kerberos service principal name, HTTP/<host name>, to a Microsoft user account. An example of setspn usage is as follows:
```
C:\Program Files\Support Tools>
setspn -A HTTP/myappserver.austin.ibm.com myappserver
```
Note: There may already be some SPNs related to the Microsoft Windows hosts that have been added to the domain. You can display those that exist by using the setspn -L command, but you still have to add an HTTP SPN for WebSphere Application Server. For example, setspn -L myappserver would list the SPNs.
Make sure that you do not have the same SPNs mapping to more than one Microsoft user account. If you map the same SPN to more than one user account, the web browser client can send a NTLM instead of SPNEGO token to WebSphere Application Server.
More information about the setspn command can be found here, Windows 2003 Technical Reference (setspn command)

Create the Kerberos keytab file and make it available to WebSphere Application Server. Use the ktpass command to create the Kerberos keytab file (krb5.keytab).

Use the ktpass tool from the Windows Server toolkit to create the Kerberos keytab file for the service principal name (SPN). Use the ktpass tool that matches the Windows server level you are using. That is, use the Windows 2000 version for a Windows 2000 Server, or a Windows 2003 version for a Windows 2003 server. The Windows 2003 server version of the ktpass tool supports the encryption type, RC4-HMAC, and Single data encryption standard (DES). The Windows 2000 server version of the ktpass tool are similar, but different options are necessary for the RC4-HMAC encryption type and single DES. For more information about the ktpass tool, see Windows 2003 Technical Reference (Kerberos keytab file and ktpass command). Below is a summary of the functions available when you enter ktpass -? on the command line.

C:\MS SDK>ktpass -?
Command line options:

---------------------most useful args
[- /]          out : Keytab to produce
[- /]        princ : Principal name (user@REALM)
[- /]         pass : password to use
                     use "*" to prompt for password.
---------------------less useful stuff
[- /]      mapuser : map princ (above) to this user account (default: don't)
[- /]        mapOp : how to set the mapping attribute (default: add it)
[- /]        mapOp :  is one of:
[- /]        mapOp :        add : add value (default)
[- /]        mapOp :        set : set value
[- +]      DesOnly : Set account for des-only encryption (default:no)
[- /]           in : Keytab to read/digest
---------------------options for key generation
[- /]       crypto : Cryptosystem to use
[- /]       crypto :  is one of:
[- /]       crypto : DES-CBC-CRC : for compatibility
[- /]       crypto : DES-CBC-MD5 : default
[- /]       crypto :        RC4 :
[- /]        ptype : principal type in question
[- /]        ptype :  is one of:
[- /]        ptype : KRB5_NT_PRINCIPAL : The general ptype-- recommended
[- /]        ptype : KRB5_NT_SRV_INST : user service instance
[- /]        ptype : KRB5_NT_SRV_HST : host service instance
[- /]         kvno : Override Key VNumber
                     Default: query DC for kvno.  Use /kvno 1 for Win2K compat.
[- +]       Answer : +Answer answers YES to prompts.  -Answer answers NO.
[- /]       Target : Which DC to use.  Default:detect

Depending on the encryption type, you use the ktpass tool in one of the following ways to create the Kerberos keytab file:

Do not use the -pass switch on the ktpass command to reset a password for a Microsoft Windows server account. See Windows 2003 Technical Reference (Kerberos keytab file and ktpass command) for more information.

For a single DES encryption typeFrom a command prompt, run the ktpass command:

ktpass -out c:\temp\myappserver.keytab
-princ HTTP/myappserver.austin.ibm.com@WSSEC.AUSTIN.IBM.COM
-mapUser myappserv 
-mapOp set -pass was1edu
-crypto DES-CBC-MD5 
+DesOnly

Table 1. Using ktpass for a single DES encryption type

Option Explanation

-out c:\temp\myappserver.keytab The key is written to this output file.

-princ HTTP/myappserver.austin.ibm.com@WSSEC.AUSTIN.IBM.COM
The concatenation of the user logon name, and the realm must be in uppercase.
-mapUser The key is mapped to the user, myappserver.
-mapOp This option sets the mapping.
-pass was1edu This option is the password for the user ID.
-crypto DES-CBC-MD5 This option uses the single DES encryption type.
+DesOnly This option generates only DES encryptions.

Table 1. Using ktpass for a single DES encryption type

Option	Explanation
-out c:\temp\myappserver.keytab	The key is written to this output file.
-princ HTTP/myappserver.austin.ibm.com@WSSEC.AUSTIN.IBM.COM	The concatenation of the user logon name, and the realm must be in uppercase.
-mapUser	The key is mapped to the user, myappserver.
-mapOp	This option sets the mapping.
-pass was1edu	This option is the password for the user ID.
-crypto DES-CBC-MD5	This option uses the single DES encryption type.
+DesOnly	This option generates only DES encryptions.

For the RC4-HMAC encryption type

RC4-HMAC encryption is only supported when using a Windows 2003 Server as KDC. RC4-HMAC encryption is not supported with a Windows 2000 Server as KDC. From a command prompt, run the ktpass command.

ktpass -out c:\temp\myappserver.keytab 
-princ HTTP/myappserver.austin.ibm.com@WSSEC.AUSTIN.IBM.COM 
-mapUser myappserver
-mapOp set 
–pass was1edu 
-crypto RC4-HMAC

Table 2. Using ktpass for the RC4-HMAC encryption type

Option Explanation

-out c:\temp\myappserver.keytab The key is written to this output file.

-princ HTTP/myappserver.austin.ibm.com@WSSEC.AUSTIN.IBM.COM
The concatenation of the user logon name, and the realm must be in uppercase.
-mapUser The key is mapped to the user, myappserver.
-mapOp This option sets the mapping.
-pass was1edu This option is the password for the user ID.
-crypto RC4-HMAC This option chooses the RC4-HMAC encryption type.

Table 2. Using ktpass for the RC4-HMAC encryption type

Option	Explanation
-out c:\temp\myappserver.keytab	The key is written to this output file.
-princ HTTP/myappserver.austin.ibm.com@WSSEC.AUSTIN.IBM.COM	The concatenation of the user logon name, and the realm must be in uppercase.
-mapUser	The key is mapped to the user, myappserver.
-mapOp	This option sets the mapping.
-pass was1edu	This option is the password for the user ID.
-crypto RC4-HMAC	This option chooses the RC4-HMAC encryption type.

The Kerberos keytab file is created for use with the SPNEGO TAI.The krb5.conf configuration file supports trigraphs to represent the {, }, [, and ] characters. These characters depend on the language set. The natively generated keytabs cannot be read by the Kerberos client. If you have difficulty configuring SPNEGO TAI with the native krb5.conf or krb5.keytab files, complete one of the following scenarios to address the trigraphs issue:

Replace the trigraphs in the krb5.conf file with the characters that they represent.
Use the krb5.conf file that is generated by WebSphere Application Server.
Use a Microsoft Windows or a key distribution center (KDC) generated keytab file.

Note: A Kerberos keytab configuration file contains a list of keys that are analogous to user passwords. It is important for hosts to protect their Kerberos keytab files by storing them on the local disk, which makes them readable only be authorized users. You make the keytab file available to WebSphere Application Server by copying the krb5.keytab file from the Domain Controller (LDAP machine) to the WebSphere Application Server machine.

ftp> bin
ftp> put c:\temp\KRB5_NT_SEV_HST\krb5.keytab

Results

Your active directory domain controller is properly configured to process single sign on requests to WebSphere Application Server and the SPNEGO TAI

}
Using the ktab command to manage the Kerberos keytab file

Related concepts

Single sign-on for HTTP requests using SPNEGO

Related tasks

Configuring WebSphere Application Server and enabling the SPNEGO TAI
Configuring JVM custom properties, filtering HTTP requests, and enabling SPNEGO TAI in WebSphere Application Server
Creating a single sign-on for HTTP requests using the SPNEGO TAI