Create the Kerberos Keytab File

ZCS Administrator Guide 8.0

Open Source Edition

Appendix B Configuring SPNEGO Single Sign-On > Create the Kerberos Keytab File

Create the Kerberos Keytab File

An Active Directory service account is created in Domain for each ZCS mailstore server.

1.

Create an Active Directory service account. This is the account used to generate the Kerberos keytab file that is added to the Zimbra server.

a.

Go to the Active Directory Start> Programs>Administrative Tools>Active Directory Users and Computers console.

b.

To create the service account, click the AD Domain name and from the expanded content right-click Users and select New >User. Complete the New Object – User dialog.

•

Full name: Enter the user display name for the AC service account. Recommend that the full name be the ZCS mailbox server name.
Example: mail1

•

User Logon Name: This name is the value that is set for the zimbraSpnegoAuthTargetName server attribute in LDAP. Write it down. Example: HTTP/mail1.example.com

•

User Logon Name (pre-Windows2000): This name is used for the –mapUser parameter in the setspn and ktpass commands.
Example: mail1.

•

Click Next.

c.

Enter and confirm the password. This password is used for the –pass {AD-user-password} parameter in the ktpass command, configured below.

d.

Check Password never expires and User cannot change password, and click Next.

e.

Click Finish to create the user. The service account name displays in the Users directory.

2.

Use the setspn command to map the mailbox server name as the service Principal Names (SPN) to the user account. The SPN is used in the process of mutual authentication between the client and the server hosting a particular service.

a.

From the command prompt, type setspn –a {userlogonname} {serviceaccountname}

Example

setspn –a HTTP/mail1.example.com mail1

b.

To verify that the SPN is registered, type
C:\>setspn –l {accountname}
A list of registered SPNs is displayed.

3.

Create the keytab file used when signing into the Kerberos domain. Use the ktpass tool from the Windows Server toolkit to create the Kerberos keytab.

Note:

A Kerberos keytab file contains a list of keys that are analogous to user passwords. Restrict and monitor permissions on any keytab files you create.

The command to type follows:

ktpass -out {keytab-file-to-produce} -princ {Service-Principal-Name}@{the-kerberos-realm} -mapUser {AD-user} -mapOp set -pass {AD-user-password} -crypto RC4-HMAC-NT -pType KRB5_NT_PRINCIPAL

Ktpass -out

The key is written to this output file.
Enter the directory location and keytab file name. The keytab file name is jetty.keytab.
For example, C: \Temp\spnego\jetty.keytab

-princ

This is the principal name.
Enter the service Principal Name as used in Step 2 in Setting up the Microsoft Windows Active Directory Domain Controller section. For example, HTTP/mail1.example.com@COMPANY.COM

-mapUser

This maps –princ value to this user account.
Enter the AD service account user name entered in the User Logon Name (pre-Windows2000) set in Step 1.b in Setting up the Microsoft Windows Active Directory Domain Controller section.

-mapOp

This sets the mapping. The value for this parameter is
set

-pass

This is the password to use.
Enter the password entered in the User Logon Name (pre-Windows2000) set in Step 1.c in Setting up the Microsoft Windows Active Directory Domain Controller section.

-crypto

This is the cryptosystem to use.
Enter RC4-HMAC-NT

-pType

Enter
KRB5_NT_PRINCIPAL
To avoid warning messages from the toolkit enter this value.

Example:

ktpass -out C: \Temp\spnego\jetty.keytab -princ HTTP/mail1.example.com@COMPANY.COM -mapUser mail1 -mapOp set -pass password123 -crypto RC4-HMAC-NT -pType KRB5_NT_PRINCIPAL

The command is confirmed with something similar to the example below.

Targeting domain controller: …

Using legacy password setting method

Successfully mapped HTTP/mail1.example.com to mail1.

Key created.

Output keytab to c:\Temp\spnego\jetty.keytab:

Keytab version: 0x502

keysize 71 HTTP HTTP/mail1.example.com@COMPANY.COM ptype 1 (KRB5_NT_PRINCIPAL) vno3 etype 0x17 (RC4-HMAC) keylength 16 (0xc383f6a25f1e195d5aef495c980c2bfe)

4.

Transfer the keytab file (jetty.keytab) to the Zimbra server. Copy the file created in step 3 to the following Zimbra server location: /opt/zimbra/jetty/etc

Important: Do not rename the jetty.keytab file. This file name is referenced from various configuration files.

Repeat steps 1 to 4 to create an create the keytab file (jetty.keytab) for each Zimbra mailstore server.

Ktpass -out	The key is written to this output file. Enter the directory location and keytab file name. The keytab file name is jetty.keytab. For example, C: \Temp\spnego\jetty.keytab
-princ	This is the principal name. Enter the service Principal Name as used in Step 2 in Setting up the Microsoft Windows Active Directory Domain Controller section. For example, HTTP/mail1.example.com@COMPANY.COM
-mapUser	This maps –princ value to this user account. Enter the AD service account user name entered in the User Logon Name (pre-Windows2000) set in Step 1.b in Setting up the Microsoft Windows Active Directory Domain Controller section.
-mapOp	This sets the mapping. The value for this parameter is set
-pass	This is the password to use. Enter the password entered in the User Logon Name (pre-Windows2000) set in Step 1.c in Setting up the Microsoft Windows Active Directory Domain Controller section.
-crypto	This is the cryptosystem to use. Enter RC4-HMAC-NT
-pType	Enter KRB5_NT_PRINCIPAL To avoid warning messages from the toolkit enter this value.