Installation and Maintenance
Allow basic authentication Create Keytables from Windows ®
Creation of a keytab file from Windows ® for a SPN (Service Principal Name) can be done in several ways. For this manual i chose a user account as a basis. The Steps are:
- Create a user account with a password. The account may not change the password an it never expires.
- Use ktpass to create SPN and keytab file
In the following exaples, server.domain must be replaced with teh FQDN of the server/service. REALM mut match the entry in the krb5.conf file (Case sensitive!).
ktpass -princ HTTP/server.domain@REALM -mapuser user@REALM -crypto rc4-hmac-nt -ptype KRB5_NT_SRV_HST -pass user-passwort -out server.keytab
This command generates the keytab file, a couple of warnings and teh key number (vno). Note this number for the checks some steps later.
Copy the file to your ILIAS Server.
To test the file use:
Copy the file to your ILIAS Server.
To test the file use:
kinit -VV -k -t server.keytab HTTP/server.domain@REALM
This command should run without error messages. In case of filure, specally check the encryption defaults in yout krb5.conf (default_...- lines)
Now check the correct kvno (this must match the vno- output of the ktpass command before) and check for a valid ticket:
Now check the correct kvno (this must match the vno- output of the ktpass command before) and check for a valid ticket:
kvno HTTP/server.domain@REALM
klist -e
klist -e
Like in the basic kerberos steps, delete this ticket:
kdestroy
Copy/Rename the ticket like shown in the Samba- part of this Document and set permissions to secure the file.
Now you can proceed to the apache configuration
Now you can proceed to the apache configuration