Spotfire® Server and Environment - Installation and Administration

Creating a keytab file for the Kerberos service account

Creating the keytab file is the third step in configuring Spotfire Server for the Kerberos authentication method.

Procedure

  1. Log in to the computer as a domain administrator or a user who is a member of the built-in Account Operators domain group.
  2. Execute the following command, replacing the variables with the appropriate values: 
    > ktpass /princ HTTP/<fully qualified hostname>[:<port>]@<realm> /ptype krb5_nt_principal
 /crypto <crypto algorithm> /mapuser <service account name> /out spotfire.keytab -kvno 0
 /pass <service account password>
    Note: Make sure that the executed command does not have any newlines.
    Note: All values are case sensitive.
    Note: Older versions of the ktpass.exe tool will fail to create the keytab file when the tool is not run on an actual domain controller.
    Variable Description
    fully qualified hostname The fully qualified DNS hostname of the computer hosting Spotfire Server, which must exactly match the fully qualified hostname used when registering the SPNs (in lowercase characters).
    port The TCP port number on which Spotfire Server is listening (only specified if the port number was explicitly included in the registered Service Principal Names (SPN)). This is not required if using the default HTTP port 80 or the default HTTPS port 443.
    realm The name of the Kerberos realm, which is the DNS domain name written in uppercase characters.
    crypto algorithm Can be one of aes128-sha1 or aes256-sha1. Make sure that the selected crypto algorithm is also specified in the krb5.conf file.
    service account name The user login name of the service account with the registered SPNs (written in lowercase characters).
    service account password The password for the service account.
    Note: If you change the password of the Kerberos service account, you must re-create the keytab file.
    Note: It is not critical to use the name "spotfire.keytab" for the keytab file, but the following instructions assume that this name is used.

Example

Creating a keytab file for the "spotsvc" Kerberos service account in the "research.example.com" domain for Spotfire Server listening on the default HTTP port 80, or the default HTTPS port 443 on the "spotserver.research.example.com" computer: 
> ktpass /princ HTTP/spotfireserver.research.example.com@RESEARCH.EXAMPLE.COM
 /ptype krb5_nt_principal /crypto aes128-sha1 /mapuser spotsvc /out spotfire.keytab -kvno 0
 /pass spotsvcpassword

Example

Creating a keytab file for the "spotsvc" Kerberos service account in the "research.example.com" domain for Spotfire Server listening on the HTTP port 8080 on the "spotserver.research.example.com" computer: 
> ktpass /princ HTTP/spotfireserver.research.example.com:8080@RESEARCH.EXAMPLE.COM
 /ptype krb5_nt_principal /crypto aes128-sha1 /mapuser spotsvc
 /out spotfire.keytab -kvno 0 /pass spotsvcpassword
Copyright © Cloud Software Group, Inc. All rights reserved.