Kerberos bases on authentication of both, user and webserver against the kerberos database. User authenticaton is achieved by entering username and password or negotioating tickets. The apache server needs its own credentials for the Kerberos service by the use of keytab files, since Kerberos encrypts the authentication information in the tickets and the webserver needs to pick the correct keys to to decrypt these.
 
To identify the server in the Kerberos database, service principal names (SPN) are used. These names are stored in the kerberos database as a multivalued attribute. The Kerberos database stores multiple passwords for a SPN to allow the change of passwords an continuous use of older ticktet (within their validity time) concurrently. For this purpose the keys are enumerated with a "kvno" in the database and the keytab file. For the proper function of keytab-files, SPNs, passwords and theit kvno must match in the keytab file and the kerberos database.
 
Passwords may be encrypted and stored using several methods, so there may be multiple entries for a SPN/kvno pair in the keytab file.
 
Keytab files can be generated on the server and the ILIAS server side. The credentials used to generate the keytab file must have enough privileges to configure the SPN attribute in the Kerberos database. If using Microsoft Active Directory ®, membership of the account operator group should be sufficient.
 
The primary way described here is the use of samba to create all neccesary objects and settings from the ILIAS-server console (no direct access to the Kerberos server isr required).
 
Configuration from the Windows ® side is alternatively possible and additionally appended.