Using ktab to generate a Kerberos Ticket File without spn.exe or ktpass.exe

Using ktab to generate a Kerberos Ticket File without spn.exe or ktpass.exe

The NetIQ Documentation clearly describes how to set up Kerberos for Access Manager, but it does not take into account when the iDP is running on Windows and that server is a member server of the domain. spn.exe requires the User ID, which is the server name according to the documentation, but this is already taken by the Computer object in Active Directory.

The following describes an alternative way of setting the servicePrincipalName on the user object and generating the nidpkey.keytab file.

The assumption for this article is that a 2008 Domain Controller exists in the domain (supported as of Access Manager 3.1 SP2).

In this example, the 2008 Active Directory Domain is domain.com, the Kerberos Rhelm is DOMAIN.COM, the Domain Controller is srvdc, the IdP server name is srvidp, and the IdP URL is idp.domain.com. The workstation performing these actions only needs to be able to communicate with AD and the KDC, it does not have to be a member of the domain.

  1. Create the user srvidp in Active Directory with the userPrincipalName of HTTP/idp.domain.com@DOMAIN.COM, the pre-Windows 2000 username of srvidp, and the desired password (in this example it is idpuserpassword).
  2. Using the Windows Server 2008 Active Directory Users and Computers console, enable Advanced Features under the View menu.
  3. Under the properties of the srvidp user, select the Attribute Editor tab.
  4. Double click the servicePrincipalName attribute to edit.
  5. Add HTTP/idp.domain.com and HTTP/idp.domain.com@DOMAIN.COM.
  6. Install Sun JRE SE and make the bin directory part of the path (if this worksation is part of the domain, the klist executable in this same directory can also list issued Kerberos Tickets to the domain workstation and logged in domain user).
  7. Create a C:\WINDOWS\krb5.ini file with the following content:
[libdefaults]
    default_realm = DOMAIN.COM
    default_tkt_enctypes = rc4-hmac des3-cbc-sha1 des-cbc-crc des-cbc-md5
    default_tgs_enctypes = rc4-hmac des3-cbc-sha1 des-cbc-crc des-cbc-md5
    permitted_enctypes = rc4-hmac des3-cbc-sha1 des-cbc-crc des-cbc-md5

[realms]
    DOMAIN.COM = {
        kdc = srvdc.domain.com
        admin_server = srvdc.domain.com
        default_domain = domain.com
    }

[domain_realms]
    domain.com = DOMAIN.COM
    .domain.com = DOMAIN.COM
  • From a command prompt, execute
    ktab -a HTTP/idp.domain.com idpuserpassword -k nidpkey.keytab
  • Validation of the content is made by executing the following command which should output something similar to the below output.
    ktab -l -k nidpkey.keytab
    Keytab name: C:\nidpkey.keytab
    KVNO    Principal
    ---------------------------------------------------------
      1     HTTP/idp.domain.com@DOMAIN.COM
      1     HTTP/idp.domain.com@DOMAIN.COM
      1     HTTP/idp.domain.com@DOMAIN.COM
      1     HTTP/idp.domain.com@DOMAIN.COM

    Each line represents a key for the desired encryption as defined in the krb5 file (rc4-hmac, des3-cdc-sha1, etc).

    Related TID: 7006039

Labels (2)

DISCLAIMER:

Some content on Community Tips & Information pages is not officially supported by Micro Focus. Please refer to our Terms of Use for more detail.
Comments
If you upgrade to Access Manager 3.1 SP3 Kerberos will stop working.

See http://www.novell.com/support/viewContent.do?externalId=7008880&sliceId=1 for more information about the error and cause.
Top Contributors
Version history
Revision #:
5 of 5
Last update:
‎2020-01-31 11:22
Updated by:
 
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.