Generating a key tab

Technical references : Administration : Single Sign-On Planon Web Client : Apache SPNEGO implementation : Generating a key tab

Because the web server is responsible for authenticating the caller (the user), it needs to authenticate itself against the security domain. When such a service needs to authenticate itself, this is typically done by using a keytab.

A keytab is a file with trusted (private credentials) information associated with a domain user who is mapped to the service for which the keytab is valid. The user’s name is then mapped to a SPN (Service Principal Name).

For the web server to be able to authenticate a Planon user, a keytab needs to be generated.

Generating a keytab can only be done by a user with administrator’s privileges on a domain controller.

A keytab creation is done by executing the ktpass executable.

Given a domain realm PLANON.COM, the following steps have to be performed:

1. Create a Kerberos user for the web server. If you are using PPJC SSO, make sure you create different users for the application server and the web server.

In the example below tomcat01 is used

2. Set the option the user does not need to change the password.

3. Set the option the password never expires.

4. Map the service principal name to the user account.

setspn -A HTTP/HostName.planon.com tomcat01

The HostName should be the FQDN of the web server, used in the browser to connect to the web server.
Do not use the CNAME record it must be the host name.

5. On the domain controller, open a command line and create a keytab:

ktpass /out tomcat.keytab /mapuser tomcat01@PLANON.COM /princ HTTP/HostName.planon.com@PLANON.COM /pass tomcat01pass /kvno 0 -ptype KRB5_NT_PRINCIPAL -crypto all

◦ Type the command in one line or create a .bat and run it.

◦ The password (/pass tomcat01pass) will override the password of the user created in Step 1.

◦ Make sure the service principal name is unique; otherwise Single Sign On will not work.

◦ We recommend to save this command, so you can refer to/reuse it later.

◦ About encryption limits, check the Server Hardening chapter, section .

6. Copy the file to the web server host (for example to …\Server\tomcat-*\).

Because the file contains sensitive security information and is only needed by the web server, it is advisable to restrict access to the file to the user running the web server.