Installation and Configuration Guide
Websense Authentication Service

To generate a keytab file, you will need to use the support tools from the Windows CD on your domain controller. Start by installing them if they are not already installed.
ktpass /pass <User Password of the Authentication Service AD account> /mapuser <Legacy User Name of the AD account> /out <ec.keytab> /princ HTTP/<FQDN>@<DOMAIN NAME> /ptype KRB5_NT_PRINCIPAL /crypto RC4-HMAC-NT /Target <DOMAIN NAME>
The legacy user name used as the /mapuser argument should match the sAMAccountName in Active Directory. This is also the User logon name you set up in Add a user account to Active Directory.
The legacy user name is used when mapping the user account to avoid issues of long Win2003 usernames that are not supported by ktpass.
keysize 105 HTTP/ ptype 1 (KRB5_NT_PRINCIPAL) vno 3 etype 0x17 (RC4-HMAC) keylength 16 (0x4968e35c0c5586d1f63a9454e242d1c4)
WARNING: search term "(& (objectClass=person) (samaccountname=authuser))" produced no results.
If the user is found but ktpass fails to create the keytab, there may be problems with the domain controller setup. Run the netdiag command (also part of the Windows Server 2003 Support Tools), and check that the DNS and Kerberos tests pass.
If the DNS test fails, it is probable that some of the DNS entries required by the domain controller are not registered. In this case, try running ipconfig /registerdns to see if this fixes the problem.