Previous Topic: Set Up Keytab Authentication Using a Custom Keytab and CA IAM CS Host PrincipalNext Topic: Set Up Keytab Authentication Using a Custom Keytab and a Principal Other than the CA IAM CS Host Principal

Connector GuidesConnectors GuideConnecting to EndpointsKerberos ConnectorKerberos Installation and DeploymentKeytab and Cross-realm Paths SetupHow to Set Up the CA IAM CS Host to be a Member of the Target RealmSet Up Keytab Authentication Using the Default Keytab and a Principal Other than the CA IAM CS Host Principal

Set Up Keytab Authentication Using the Default Keytab and a Principal Other than the CA IAM CS Host Principal

To specify keytab authentication using the default keytab and a principal other than the CA IAM CS host principal, you can add keytab entries for the principal to the keytab file.

To specify keytab authentication using the default keytab and a principal other than the CA IAM CS host principal

  1. If the principal has a random password and the default keytab file does not exist, enter the following command in kadmin to add entries to the file: 
    kadmin: ktadd principal

    Note: This creates a new randomized password for the target principal, therefore any entries for the target principal in any existing keytab file are no longer valid.

  2. If the principal has a random password and the keytab file exists, do the following:
    1. Enter the following command in kadmin to add entries into a temporary keytab: 
      kadmin: ktadd -k temp_keytab principal

      Note: This creates a new randomized password for the target principal, thus any entries for the target principal in any existing keytab file are no longer valid.

    2. Enter the following commands in ktutil to read both keytabs: 
      ktutil: read_kt temp_keytab 

      ktutil: read_kt /etc/krb5/krb5.keytab
    3. Enter the following command in ktutil to write the entries to the target keytab file you want to use. 
      ktutil: write_kt /etc/krb5/krb5.keytab

      The temporary keytab file is merged into the target keytab file you want to use.

    Note: Make sure that the entries for the target principal are the same, and are the latest key version number.

  3. If the principal has a specific password, do the following:
    1. Enter the following command in ktutil: 
      ktutil: read_kt /etc/krb5/krb5.keytab
    2. Enter the following command in ktutil: 
      ktutil: addent -password -p principal -k kvno -e enctype
    3. Repeat Step b for all enctypes.

      ktutil adds the entries to the default keytab file.

    Note: Ensure you add all keys for the principal, and that all resulting entries for the principal are the same and latest key version number.

  4. Enter the following command in ktutil to verify that the list contains all required keys: 
    ktutil: list
  5. Enter the following command in ktutil to write the entries to the keytab file: 
    ktutil: write_kt /etc/krb5/krb5.keytab
  6. In the KDC, modify kadm5.acl using a text editor to add necessary privileges to the target principal.

    Note: Use * to specify all privileges.

  7. In the Provisioning Manager, on the Endpoint Property sheet, click the Properties tab.
  8. Specify the principal you want to use, but leave the Keytab field blank.
  9. Click Apply.

    The Kerberos Connector uses the keytab you specified for authentication.