Installation and Configuration Guide
Websense Authentication Service

Library Search:


Go to the table of contents Go to the previous page Go to the next page View or print as PDF
Using the Administration Console > Set up Kerberos connectivity > Generate a Kerberos keytab

Generate a Kerberos keytab
To complete the KDC setup, generate a keytab that will be used for authentication.
To generate a keytab file, you will need to use the support tools from the Windows CD on your domain controller. Start by installing them if they are not already installed.
For more information about Windows Server Support Tools, see http://technet.microsoft.com/en-us/library/cc758202%28WS.10%29.aspx.
These support tools include the ktpass utility. Use this utility to create a keytab for the EC account, as follows:
ktpass /pass <User Password of the Authentication Service AD account> /mapuser <Legacy User Name of the AD account> /out <ec.keytab> /princ HTTP/<FQDN>@<DOMAIN NAME> /ptype KRB5_NT_PRINCIPAL /crypto RC4-HMAC-NT /Target <DOMAIN NAME>
The utility generates the file <ec.keytab> in your working directory. You will upload this keytab file to Authentication Service later.
Note the following when using ktpass:
*
The <DOMAIN NAME> must be all in uppercase.
*
The legacy user name used as the /mapuser argument should match the sAMAccountName in Active Directory. This is also the User logon name you set up in Add a user account to Active Directory.
*
the /princ argument contains the fully-qualified Authentication Service host name.
 
* 
Note 
The legacy user name is used when mapping the user account to avoid issues of long Win2003 usernames that are not supported by ktpass.
The output in ktpass will look similar to this:
Using legacy password setting method
Successfully mapped HTTP/ec001.mydomain.com to authuser.
Key created.
Output keytab to ec.keytab:
Keytab version: 0x502
keysize 105 HTTP/ec001.mydomain.com@DEV.MYDOMAIN.COM ptype 1 (KRB5_NT_PRINCIPAL) vno 3 etype 0x17 (RC4-HMAC) keylength 16 (0x4968e35c0c5586d1f63a9454e242d1c4)
Troubleshooting
If the ktpass command fails, try the following troubleshooting options:
*
If you get output similar to:
Using legacy password setting method
WARNING: search term "(& (objectClass=person) (samaccountname=authuser))" produced no results.
Failed to locate user "(& (objectClass=person) (samaccountname=authuser))".
Could not locate user.
check that the /mapuser and /pass arguments correspond to the user created in Active Directory for Authentication Service
*
If the user is found but ktpass fails to create the keytab, there may be problems with the domain controller setup. Run the netdiag command (also part of the Windows Server 2003 Support Tools), and check that the DNS and Kerberos tests pass.
If the DNS test fails, it is probable that some of the DNS entries required by the domain controller are not registered. In this case, try running ipconfig /registerdns to see if this fixes the problem.

Quick Links



Go to the table of contents Go to the previous page Go to the next page View or print as PDF
Using the Administration Console > Set up Kerberos connectivity > Generate a Kerberos keytab
(c) 2011 Websense, Inc. All Rights Reserved.