Enter the password when prompted. The user name is case-sensitive and must be exactly the same case in the ktab command line
as the user name defined in Windows Active Directory. For instance, if the user account was
created with the name FNCEWS_myname@MYDOM.EXAMPLE.COM, then there might be
mysterious, hard-to-identify problems later if FNCEWS_MyName were used on the
ktab command. The domain name entered here in the ktab
command must similarly be upper case to avoid those mysterious problems.
Notice the underscore ("_") between FNCEWS and the system name. In the above example,
FNCEWS_mycemp01 is the identity account name, not the SPN, which has a
slash "/" delimiter instead (as in FNCEWS/mycemp01). If you mistakenly
enter the SPN, simply run ktab again using the account name. You can clean up
these mistakes by deleting bad entries using the same command line as above, but substituting
-d (delete) for the -a switch.
The ktab utility is part of the JDK distribution and this will create a file named
krb5.keytab in the logged on account's home directory. This home
directory would be something like:
- Windows
- c:\Documents and Settings\administrator.MYDOM\
- Unix
- /home/username
Because the keytab contains sensitive information (encrypted passwords), you
would probably not want to use the default keytab as documented earlier. Instead, you could
put restrictive file system permissions on the keytab so that only a minimum number of
accounts can read it. To change the location of the keytabs, specify an extra option,
-k path/mykeytab, on the ktab command line (substituting the real path and
keytab file name for path and mykeytab).
The following are examples of -k usage for WebSphere
application servers on Windows:
%JAVA_HOME%\bin\java com.ibm.security.krb5.internal.tools.Ktab -k
c:/mypath/mykeytab -a FNCEWS_mycemp01@MYDOM.EXAMPLE.COM
or its equivalent:
%JAVA_HOME%\bin\java com.ibm.security.krb5.internal.tools.Ktab -k
FILE:c:/mypath/mykeytab -a FNCEWS_mycemp01@MYDOM.EXAMPLE.COM
The following is an example of
-k usage for WebLogic
application servers on Windows.
Note: Ktab generated keytab entries will sometimes get
Specified version of the key is not available errors. This happens because
later versions of the JVM now compare the key version number (kvno) of the keytab entry
against. that found in the Active Directory for the identity user's password and produce this
error if the not found in the keytab. To work around this, use the ktpass with the
-kvno 0 option, which disables this check, or (on Java 7 or later) use the
-n 0 option with
ktab.
%JAVA_HOME%\bin\ktab -k c:/mypath/mykeytab -a FNCEWS_mycemp01@MYDOM.EXAMPLE.COM