How to create a keytab file on a Domain Controller for an SSO setup

<p>In order to set up an SSO&comma; you might need to create a keytab file on a Domain Controller&period; In this article&comma; we&&num;8217&semi;ll explain in a few simple steps how to achieve this&period;<&sol;p>&NewLine;<p><img class&equals;"alignnone wp-image-3751 size-full" title&equals;"create a keytab file on a Domain Controller" src&equals;"https&colon;&sol;&sol;www&period;wincert&period;net&sol;wp-content&sol;uploads&sol;2020&sol;06&sol;source-code-583537&lowbar;640&period;jpg" alt&equals;"create a keytab file on a Domain Controller" width&equals;"640" height&equals;"362" &sol;><&sol;p>&NewLine;<ol>&NewLine;<li>Create a <strong>domain user<&sol;strong> that will be used for creating a keytab file&period; Make sure to check both checkboxes &&num;8220&semi;<strong>User cannot change password<&sol;strong>&&num;8221&semi; and &&num;8220&semi;<strong>Password never expires<&sol;strong>&&num;8220&semi;&period; Please have in mind that only one keytab file per user is allowed&period; In case you need more keytab files additional users have to be created&period;<&sol;li>&NewLine;<li>Start Command Prompt &lpar;CMD&rpar; in elevated mode &lpar;Run as Administrator&rpar; and type the following command&period;<&sol;li>&NewLine;<&sol;ol>&NewLine;<ul>&NewLine;<li><strong>ktpass -princ HTTP&sol;<em>FQDN&commat;domainname<&sol;em> -mapuser <em>username<&sol;em> -crypto ALL -ptype KRB5&lowbar;NT&lowbar;PRINCIPAL -pass pa&dollar;&dollar;w0rd -target FQDNofDC -out host&period;keytab<&sol;strong><&sol;li>&NewLine;<&sol;ul>&NewLine;<p>Replace <strong>FQDN&commat;domainname<&sol;strong> with a Fully Qualified Domain Name&commat;domainname of the target machine&sol;application server&period; Example&colon; <strong>melbourne&period;contoso&period;com&commat;contoso&period;com<br &sol;>&NewLine;<&sol;strong>Replace <strong>username<&sol;strong> with a username of the user you have created for this purpose in step 1&period;<br &sol;>&NewLine;Replace <strong>pa&dollar;&dollar;w0rd<&sol;strong> with the password you have specified for this user in step 1&period;<br &sol;>&NewLine;Replace <strong>FQDNofDC<&sol;strong> with Fully Qualified Name of your Domain Controller&period; Ex&colon; <strong>Brisbane&period;contoso&period;com<&sol;strong><br &sol;>&NewLine;You can also change the <strong>host&period;keytab<&sol;strong> file name if you wish&period;<&sol;p>&NewLine;<p>You should receive a command completed successfully message with additional information regarding the newly created keytab file&period; Even though you have received a successful completion message you should also check if the SPN has been appropriately set for the application server with the following command&colon;<&sol;p>&NewLine;<p><strong>setspn -Q &ast;&sol;FQDN<&sol;strong><&sol;p>&NewLine;<p>example&colon; <strong>setspn -Q &ast;&sol;melbourne&period;contoso&period;com<&sol;strong><&sol;p>&NewLine;<p>where <em>Melbourne<&sol;em> is the application server name&period; You should receive the <strong>Existing SPN found<&sol;strong> message&period;<&sol;p>&NewLine;<p>If not specified&comma; the keytab file will be created in the <strong>C&colon;&bsol;Windows&bsol;System32<&sol;strong> directory which is a default location of command prompt app&period;<&sol;p>&NewLine;<p>That&&num;8217&semi;s it&period; Hopefully&comma; this article will help you to create a keytab file on a Domain Controller&period;<&sol;p>&NewLine;<p>Please share your thoughts or suggestions in the comments section below&period;<&sol;p>&NewLine;