ZCS Administrator's Guide 7.2.3
ZCS Administrator's Guide 7.2.3
Open Source Edition


Appendix B Configuring SPNEGO Single Sign-On for ZCS > Create the Kerberos Keytab File

Create the Kerberos Keytab File
An Active Directory service account is created in Domain for each ZCS mailstore server.
1.
a.
Go to the Active Directory Start> Programs>Administrative Tools>Active Directory Users and Computers console.
b.
To create the service account, click the AD Domain name and from the expanded content right-click Users and select New >User. Complete the New Object – User dialog.
Full name: Enter the user display name for the AC service account. Recommend that the full name be the ZCS mailbox server name.
Example: mail1
User Logon Name: This name is the value that is set for the zimbraSpnegoAuthTargetName server attribute in LDAP. Write it down. Example: HTTP/mail1.example.com
User Logon Name (pre-Windows2000): This name is used for the mapUser parameter in the setspn and ktpass commands.
Example: mail1.
Click Next.
c.
Enter and confirm the password. This password is used for the –pass {AD-user-password} parameter in the ktpass command, configured below.
d.
Check Password never expires and User cannot change password, and click Next.
e.
Click Finish to create the user. The service account name displays in the Users directory.
2.
Use the setspn command to map the mailbox server name as the service Principal Names (SPN) to the user account. The SPN is used in the process of mutual authentication between the client and the server hosting a particular service.
a.
From the command prompt, type setspn –a {userlogonname} {serviceaccountname}
Example
b.
To verify that the SPN is registered, type
C:\>setspn –l {accountname}
A list of registered SPNs is displayed.
3.
Note:
The command to type follows:
ktpass -out {keytab-file-to-produce} -princ {Service-Principal-Name}@{the-kerberos-realm} -mapUser {AD-user} -mapOp set -pass {AD-user-password} -crypto RC4-HMAC-NT -pType KRB5_NT_PRINCIPAL
 
This is the principal name.
Enter the service Principal Name as used in
Step 2 in Setting up the Microsoft Windows Active Directory Domain Controller section. For example, HTTP/mail1.example.com@COMPANY.COM
This maps –princ value to this user account.
Enter the AD service account user name entered in the
User Logon Name (pre-Windows2000) set in Step 1.b in Setting up the Microsoft Windows Active Directory Domain Controller section.
This is the password to use.
Enter the password
entered in the User Logon Name (pre-Windows2000) set in Step 1.c in Setting up the Microsoft Windows Active Directory Domain Controller section.
Enter
KRB5_NT_PRINCIPAL
To avoid warning messages from the toolkit enter this value.
Example:
 
The command is confirmed with something similar to the example below.
 
4.
Important: Do not rename the jetty.keytab file. This file name is referenced from various configuration files.
Repeat steps 1 to 4 to create an create the keytab file (jetty.keytab) for each Zimbra mailstore server.
Copyright © 2013 VMware Inc.