ZCS Administrator Guide 7.2.1
ZCS Administrator Guide 7.2.1
Open Source Edition

Appendix B Configuring SPNEGO Single Sign-On for ZCS > Create the Kerberos Keytab File

Create the Kerberos Keytab File
An Active Directory service account is created in Domain for each ZCS mailstore server.
Create an Active Directory service account. This is the account used to generate the Kerberos keytab file that is added to the Zimbra server.
Go to the Active Directory Start> Programs>Administrative Tools>Active Directory Users and Computers console.
To create the service account, click the AD Domain name and from the expanded content right-click Users and select New >User. Complete the New Object – User dialog.
Full name: Enter the user display name for the AC service account. Recommend that the full name be the ZCS mailbox server name.
Example: mail1
User Logon Name: This name is the value that is set for the zimbraSpnegoAuthTargetName server attribute in LDAP. Write it down. Example: HTTP/mail1.example.com
User Logon Name (pre-Windows2000): This name is used for the mapUser parameter in the setspn and ktpass commands.
Example: mail1.
Click Next.
Enter and confirm the password. This password is used for the –pass {AD-user-password} parameter in the ktpass command, configured below.
Check Password never expires and User cannot change password, and click Next.
Click Finish to create the user. The service account name displays in the Users directory.
Use the setspn command to map the mailbox server name as the service Principal Names (SPN) to the user account. The SPN is used in the process of mutual authentication between the client and the server hosting a particular service.
From the command prompt, type setspn –a {userlogonname} {serviceaccountname}
To verify that the SPN is registered, type
C:\>setspn –l {accountname}
A list of registered SPNs is displayed.
Create the keytab file used when signing into the Kerberos domain. Use the ktpass tool from the Windows Server toolkit to create the Kerberos keytab.
A Kerberos keytab file contains a list of keys that are analogous to user passwords. Restrict and monitor permissions on any keytab files you create.
The command to type follows:
ktpass -out {keytab-file-to-produce} -princ {Service-Principal-Name}@{the-kerberos-realm} -mapUser {AD-user} -mapOp set -pass {AD-user-password} -crypto RC4-HMAC-NT -pType KRB5_NT_PRINCIPAL
The key is written to this output file.
Enter the directory location and keytab file name. The keytab file name is jetty.keytab.
For example, C: \Temp\spnego\jetty.keytab
This is the principal name.
Enter the service Principal Name as used in Step 2 in Setting up the Microsoft Windows Active Directory Domain Controller section. For example, HTTP/mail1.example.com@COMPANY.COM
This maps –princ value to this user account.
Enter the AD service account user name entered in the User Logon Name (pre-Windows2000) set in Step 1.b in Setting up the Microsoft Windows Active Directory Domain Controller section.
This is the password to use.
Enter the password entered in the User Logon Name (pre-Windows2000) set in Step 1.c in Setting up the Microsoft Windows Active Directory Domain Controller section.
To avoid warning messages from the toolkit enter this value.
ktpass -out C: \Temp\spnego\jetty.keytab -princ HTTP/mail1.example.com@COMPANY.COM -mapUser mail1 -mapOp set -pass password123 -crypto RC4-HMAC-NT -pType KRB5_NT_PRINCIPAL
The command is confirmed with something similar to the example below.
keysize 71 HTTP HTTP/mail1.example.com@COMPANY.COM ptype 1 (KRB5_NT_PRINCIPAL) vno3 etype 0x17 (RC4-HMAC) keylength 16 (0xc383f6a25f1e195d5aef495c980c2bfe)
Transfer the keytab file (jetty.keytab) to the Zimbra server. Copy the file created in step 3 to the following Zimbra server location: /opt/zimbra/jetty/etc
Important: Do not rename the jetty.keytab file. This file name is referenced from various configuration files.
Repeat steps 1 to 4 to create an create the keytab file (jetty.keytab) for each Zimbra mailstore server.
Copyright © 2012 VMware Inc.