Generating a Keytab File for an SPN

You can generate the Kerberos keytab file (krb5.keytab) for an SPN using the ktpass tool from the Windows Server toolkit.

Before you begin

Make sure you have created a user account in the Microsoft Active Directory.
Ensure that you have mapped the service principal name to the user account.

Note: The instructions in this topic are for Windows platform only.

Procedure

Open a command prompt.

To generate the keytab file, type the ktpass command:

ktpass -out Path_To_Keytab_file
-princ service name/fully_qualified_host_name -passPasswordValue 
-mauser user_logon_name -mapOp set -cryptoEncryption_Key_Type
-pType KRB5_NT_PRINCIPAL

ktpass -out c:\temp\apixg.keytab
-princ HTTP/testtibcoapix.pa.tibco.com -pass testtibcopass -mapUser test\testtibcoapix -mapOp set -crypto all
-pType KRB5_NT_PRINCIPAL

Refer to the following table for command line options:

Command Line Options for `ktpass` Command
Parameter	Description	Example Value
-out	Specifies the name of the Kerberos keytab output file.	`c:\temp\apixg.keytab`
-princ	Specifies the principal user name. The value for this field is defined in the form user@REALM . The concatenation of the user logon name, and the realm must be uppercase.	`HTTP/testtibcoapix.pa.tibco.com`
-pass	Specifies a password for the principal user name that is specified by the `princ` option.	`testtibcopass`
-mapUser	Maps the name of the Kerberos principal, which is specified by the `princ` option to the specified domain account.	`test\testtibcoapix`
-mapOp	Specifies how the mapping attribute is set.	`set` sets the value for Data Encryption Standard (DES)-only encryption for the specified local user name.
-crypto	Specifies the encryption key type that are generated in the keytab file. The possible values are: `DES-CBC-CRC` `AES256-SHA1` `all`	`all`, which indicates that all supported cryptographic types can be used.

Refer to https://technet.microsoft.com/en-us/library/cc753771.aspx for ktpass command syntax details.