Creating a Kerberos Keytab for Caliber Visualize

In order to authenticate Caliber Visualize, you must create a Kerberos keytab file from your Kerberos server.

To generate a Kerberos keytab file from MS Active Directory:

  1. Create a normal user account (for example, caliber-visualize ) which will become the service principal. Deactivate the option User must change password at next logon and activate Password never expires.

    Note: Do not change password after first setting or kvno will need to be incremented by 1 when creating keytab file.

  2. Create a client SPN (for example, HTTP/ ).

    You will use the utility (e.g., "setspn.exe") to create an SPN to associate with this new user account.

  3. Open a command prompt.
  4. Type the command: ktpass /princ HTTP/ PORT NUMBER@EXAMPLE.COM /mapuser caliber-visualize /crypto AES256-SHA1 /ptype KRB5_NT_PRINCIPAL /kvno 0 /pass hidden /out c:\temp\<name>.keytab.
    Note: and EXAMPLE.COM are the AD realm for your AD domain. visualize-server is the name of the machine on which Caliber Visualize server will run. It must be on the domain. HTTP/ PORT NUMBER is the service principal name (SPN). AES256-SHA1 is the Kerberos encryption type. <name> is file name for the generated keytab. Update them to match your needs according to your corporate standards.
    Note: The Kerberos Advanced Encryption Standard (AES) encryption options (both the 128-bit option and the 256-bit option) are available only when the domain functional level is set to Windows Server 2008 R2, Windows Server 2008, or Windows Server 2003. AES is a new encryption algorithm that has been standardized by the National Institute of Standards and Technology (NIST). For more information about Kerberos authentication, see Kerberos Explained ( ).

    You can reference the section "Creating service principal with Microsoft Windows 2008 Server" on the page

Give the generated keytab file (e.g., visualize-server.keytab) and the SPN (e.g., HTTP/ to Caliber Visualize administrator. Give Caliber Visualize administrator the used Kerberos encryption type, as well.