Generating a Keytab File for an SPN

You can generate the Kerberos keytab file (krb5.keytab) for an SPN using the ktpass tool from the Windows Server toolkit.

1. Open a command prompt.
2. To generate the keytab file, type the ktpass command:

   ktpass -out Path_To_Keytab_file
   -princ service name/fully_qualified_host_name -passPasswordValue 
   -mauser user_logon_name -mapOp set -cryptoEncryption_Key_Type
   -pType KRB5_NT_PRINCIPAL

   ktpass -out c:\temp\apixg.keytab
   -princ HTTP/testtibcoapix.pa.tibco.com -pass testtibcopass -mapUser test\testtibcoapix -mapOp set -crypto all
   -pType KRB5_NT_PRINCIPAL
   

   Refer to the following table for command line options:

   Command Line Options for ktpass Command

   Parameter	Description	Example Value
   -out	Specifies the name of the Kerberos keytab output file.	c:\temp\apixg.keytab
   -princ	Specifies the principal user name. The value for this field is defined in the form user@REALM . The concatenation of the user logon name, and the realm must be uppercase.	HTTP/testtibcoapix.pa.tibco.com
   -pass	Specifies a password for the principal user name that is specified by the princ option.	testtibcopass
   -mapUser	Maps the name of the Kerberos principal, which is specified by the princ option to the specified domain account.	test\testtibcoapix
   -mapOp	Specifies how the mapping attribute is set.	set sets the value for Data Encryption Standard (DES)-only encryption for the specified local user name.
   -crypto	Specifies the encryption key type that are generated in the keytab file. The possible values are: DES-CBC-CRC AES256-SHA1 all	all, which indicates that all supported cryptographic types can be used.

   Refer to https://technet.microsoft.com/en-us/library/cc753771.aspx for ktpass command syntax details.