Knowledge Sharing - KeyTabs and SetSPN
For installs where the customer would like to generate their own Keytab and not use a Domain Admin you can provide them the below actions to run, as a user that is not a domain admin cannot successfully run Set SPN and generate a correct Keytab file, thus you would need to perform tons of post-install configs + SSO won't work.
Both the KeyTab and SetSPN commands must be executed with Domain Admin privilleges, so the customer must prepare them on their end before the install on the appServer:
1) Generate a KeyTab file:
"C:Windowssystem32ktpass.exe" -out "C:ProgramDatakeycloak.keytab" -princ "HTTP/fqdn@domain" -mapUser "user@domain" -mapOp set -pass "pass" -crypto all -pType KRB5_NT_PRINCIPAL -setupn -setpass
Example:
"C:Windowssystem32ktpass.exe" -out "C:ProgramDatakeycloak.keytab" -princ "HTTP/Kryon11-234.kryonaws.com@KRYONAWS" -mapUser "milen.m@kryonaws" -mapOp set -pass "Kryon2020!" -crypto all -pType KRB5_NT_PRINCIPAL -setupn -setpass
2) Set SPN (Server Principle Name):
Setspn -s "HTTP/FQDN" "domainusername"
setspn -L "domainuser"
Example:
Setspn -s "HTTP/Kryon11-234.kryonaws.com" "kryonawsmilen.m"
setspn -L "kryonawsmilen.m"
P.S. For the Keytab you can also use the built-in Aerobase helper by using "aerobase-ctl keytab help" command.
