Use the setspn command to map the Kerberos service
principal name, HTTP/<host name>, to a Microsoft user account. An
example of setspn usage is as follows: C:\Program Files\Support Tools>
setspn -A HTTP/myappserver.austin.ibm.com myappserver
Note: There may already be some SPNs related to the Microsoft Windows hosts
that have been added to the domain. You can display those that exist
by using the setspn -L command, but you still have
to add an HTTP SPN for WebSphere Application Server.
For example, setspn -L myappserver would list the
SPNs.
Important: Make sure that you do not have
the same SPNs mapping to more than one Microsoft user
account. If you map the same SPN to more than one user account, the
web browser client can send a NTLM instead of SPNEGO token to WebSphere Application Server.
More
information about the setspn command can be found here, Windows 2003
Technical Reference (setspn command)
Create the Kerberos keytab file and make it available to
WebSphere Application Server. Use the ktpass command to create the
Kerberos keytab file (krb5.keytab). Use the ktpass tool
from the Windows Server toolkit to create the Kerberos keytab file
for the service principal name (SPN). Use the latest version of the ktpass tool
that matches the Windows server level that you are using. For example,
use the Windows 2000 version of the tool for a Windows 2000 Server,
or a Windows 2003 version of the tool for a Windows 2003 server.
To
determine the appropriate parameter values for the ktpass tool,
run the ktpass -? command from the command line.
This command lists whether the ktpass tool, which corresponds
to the particular operating system, uses the -crypto RC4-HMAC or -crypto
RC4-HMAC-NT parameter value. To avoid warning messages from
the toolkit, you must specify the -ptype KRB5_NT_PRINCIPAL parameter
value.
The Windows 2003 server version of the ktpass tool
supports the encryption type, RC4-HMAC, and Single data encryption
standard (DES). The Windows 2000 server version of the ktpass tool
are similar, but different options are necessary for the RC4-HMAC
encryption type and single DES. For more information about the ktpass tool,
see Windows 2003 Technical Reference
(Kerberos keytab file and ktpass command) or Use Ktpass.exe in Windows 2000.
The
following code shows the functions that are available when you enter
ktpass
-? command on the command line. This information might be
different depending on the version of the toolkit that you are using.
C:\Program Files\Support Tools>ktpass -?
Command line options:
---------------------most useful args
[- /] out : Keytab to produce
[- /] princ : Principal name (user@REALM)
[- /] pass : password to use
use "*" to prompt for password.
[- +] rndPass : ... or use +rndPass to generate a random password
[- /] minPass : minimum length for random password (def:15)
[- /] maxPass : maximum length for random password (def:256)
---------------------less useful stuff
[- /] mapuser : map princ (above) to this user account (default:
don't)
[- /] mapOp : how to set the mapping attribute (default: add it)
[- /] mapOp : is one of:
[- /] mapOp : add : add value (default)
[- /] mapOp : set : set value
[- +] DesOnly : Set account for des-only encryption (default:don't)
[- /] in : Keytab to read/digest
---------------------options for key generation
[- /] crypto : Cryptosystem to use
[- /] crypto : is one of:
[- /] crypto : DES-CBC-CRC : for compatibility
[- /] crypto : DES-CBC-MD5 : for compatibliity
[- /] crypto : RC4-HMAC-NT : default 128-bit encryption
[- /] ptype : principal type in question
[- /] ptype : is one of:
[- /] ptype : KRB5_NT_PRINCIPAL : The general ptype-- recommended
[- /] ptype : KRB5_NT_SRV_INST : user service instance
[- /] ptype : KRB5_NT_SRV_HST : host service instance
[- /] kvno : Override Key Version Number
Default: query DC for kvno. Use /kvno 1 for Win2K
compat.
[- +] Answer : +Answer answers YES to prompts. -Answer answers
NO.
[- /] Target : Which DC to use. Default:detect
---------------------options for trust attributes (Windows Server 2003
Sp1 Only
[- /] MitRealmName : MIT Realm which we want to enable RC4 trust on.
[- /] TrustEncryp : Trust Encryption to use; DES is default
[- /] TrustEncryp : is one of:
[- /] TrustEncryp : RC4 : RC4 Realm Trusts (default)
[- /] TrustEncryp : DES : go back to DES
Important: Do not use the -pass switch on the ktpass command
to reset a password for a Microsoft Windows server account.
See Windows 2003 Technical Reference
(Kerberos keytab file and ktpass command) for more information. You must use the -mapUser option with ktpass command
to enable the KDC to create an encryption key. Otherwise, when the
SPENGO token is received, it fails the validation process and the
application server challenges the user for a user name and password.Depending
on the encryption type, you use the
ktpass tool in one of the
following ways to create the Kerberos keytab file. The following section
shows the different types of encryption that are used by the ktpass
tool. It is important that you run the ktpass -? command to determine
which -crypto parameter value is expected by the particular toolkit
in your Microsoft Windows environment.
- For a single DES encryption type
From a command prompt, run
the
ktpass command:
ktpass -out c:\temp\myappserver.keytab
-princ HTTP/myappserver.austin.ibm.com@WSSEC.AUSTIN.IBM.COM
-mapUser myappserv
-mapOp set
-pass was1edu
-crypto DES-CBC-MD5
-pType KRB5_NT_PRINCIPAL
+DesOnly
Table 1. Using ktpass for a single DES encryption
type. This table describes how to use ktpass for a
single DES encryption type.
Option |
Explanation |
-out c:\temp\myappserver.keytab |
The key is written to this output file. |
-princ HTTP/myappserver.austin.ibm.com@WSSEC.AUSTIN.IBM.COM |
The concatenation of the user logon name, and
the realm must be in uppercase. |
-mapUser |
The key is mapped to the user, myappserver. |
-mapOp |
This option sets the mapping. |
-pass was1edu |
This option is the password for the user ID. |
-crypto DES-CBC-MD5 |
This option uses the single DES encryption type. |
-pType KRB5_NT_PRINCIPAL |
This option specifies the KRB5_NT_PRINCIPAL principal
value. Specify this option to avoid toolkit warning messages. |
+DesOnly |
This option generates only DES encryptions. |
- For the RC4-HMAC encryption type
Important: RC4-HMAC
encryption is only supported when using a Windows 2003 Server as KDC.
RC4-HMAC encryption is not supported with a Windows 2000 Server as
KDC.
From a command prompt, run the
ktpass command.
ktpass -out c:\temp\myappserver.keytab
-princ HTTP/myappserver.austin.ibm.com@WSSEC.AUSTIN.IBM.COM
-mapUser myappserver
-mapOp set
–pass was1edu
-crypto RC4-HMAC
-pType KRB5_NT_PRINCIPAL
Table 2. Using ktpass for
the RC4-HMAC encryption type. This table identifies
and describes the ktpass options for RC4-HMAC encryption
Option |
Explanation |
-out c:\temp\myappserver.keytab |
The key is written to this output file. |
-princ HTTP/myappserver.austin.ibm.com@WSSEC.AUSTIN.IBM.COM |
The concatenation of the user logon name, and
the realm must be in uppercase. |
-mapUser |
The key is mapped to the user, myappserver. |
-mapOp |
This option sets the mapping. |
-pass was1edu |
This option is the password for the user ID. |
-crypto RC4-HMAC |
This option chooses the RC4-HMAC encryption
type. |
-pType KRB5_NT_PRINCIPAL |
This option specifies the KRB5_NT_PRINCIPAL principal
value. Specify this option to avoid toolkit warning messages. |
- For the RC4-HMAC-NT encryption type
From a command prompt, run
the
ktpass command.
ktpass -out c:\temp\myappserver.keytab
-princ HTTP/myappserver.austin.ibm.com@WSSEC.AUSTIN.IBM.COM
-mapUser myappserver
-mapOp set
-pass was1edu
-crypto RC4-HMAC-NT
-pType KRB5_NT_PRINCIPAL
Table 3. Using ktpass for
the RC4-HMAC encryption type. This table identifies
and describes the ktpass options for RC4-HMAC encryption
Option |
Explanation |
-out c:\temp\myappserver.keytab |
The key is written to this output file. |
-princ HTTP/myappserver.austin.ibm.com@WSSEC.AUSTIN.IBM.COM |
The concatenation of the user logon name, and
the realm must be in uppercase. |
-mapUser |
The key is mapped to the user, myappserver. |
-mapOp |
This option sets the mapping. |
-pass was1edu |
This option is the password for the user ID. |
-crypto RC4-HMAC-NT |
This option chooses the RC4-HMAC-NT encryption
type. |
-pType KRB5_NT_PRINCIPAL |
This option specifies the KRB5_NT_PRINCIPAL principal
value. Specify this option to avoid toolkit warning messages. |
The Kerberos keytab file is created for use with the SPNEGO
TAI. Note: A Kerberos keytab configuration file contains a list of
keys that are analogous to user passwords. It is important for hosts
to protect their Kerberos keytab files by storing them on the local
disk, which makes them readable only be authorized users.
You
make the keytab file available to
WebSphere Application Server by
copying the
krb5.keytab file from the Domain Controller
(LDAP machine) to the
WebSphere Application Server machine.
ftp> bin
ftp> put c:\temp\KRB5_NT_SEV_HST\krb5.keytab