Creating a Kerberos Keytab

In order to authenticate Caliber Review, you must create a Kerberos keytab file from your Kerberos server.

To generate a Kerberos keytab file from MS Active Directory:

  1. Create a normal user account (for example, caliber-review ) which will become the service principal. Deactivate the option User must change password at next logon and activate Password never expires.

    Note: Do not change password after first setting or kvno will need to be incremented by 1 when creating keytab file.

  2. On the Caliber Review server, navigate to Services > Caliber Review > Properties > Log on and configure Caliber Review server to run under the newly created user account.
  3. Create a client SPN (for example, HTTP/review-server.example.com:11012).

    You will use the utility (e.g., "setspn.exe") to create an SPN to associate with this new user account.

  4. Open a command prompt.
  5. Type the command: ktpass /princ HTTP/review-server.example.com:PORT NUMBER@EXAMPLE.COM /mapuser caliber-review /crypto AES256-SHA1 /ptype KRB5_NT_PRINCIPAL /kvno 0 /pass hidden /out C:\temp\<name>.keytab.
    Note: example.com and EXAMPLE.COM are the AD realm for your AD domain; review-server is the name of the machine on which Caliber Review server will run; it must be on the domain; caliber-review is the user assigned to run Caliber Review service; HTTP/review-server.example.com:PORT NUMBER is the service principal name (SPN); AES256-SHA1 is the Kerberos encryption type. <name> is file name for the generated keytab. Update each to match your needs according to your corporate standards.
    Note: The Kerberos Advanced Encryption Standard (AES) encryption options (both the 128-bit option and the 256-bit option) are available only when the domain functional level is set to Windows Server 2008 R2, Windows Server 2008, or Windows Server 2003. AES is a new encryption algorithm that has been standardized by the National Institute of Standards and Technology (NIST). For more information about Kerberos authentication, see Kerberos Explained (http://go.microsoft.com/fwlink/?LinkId=85494 ).

    You can reference the section "Creating service principal with Microsoft Windows 2008 Server" on the page

    http://spring.io/blog/2009/09/28/spring-security-kerberos-spnego-extension

Give the generated keytab file (e.g., review-server.keytab) and the SPN (e.g., HTTP/review-server.example.com ) to Caliber Review administrator. Give Caliber Review administrator the used Kerberos encryption type, as well.