Creating a keytab file for the Kerberos service account (using the ktpass command from Microsoft Support Tools)

This method of creating a keytab file uses the ktpass command that is included with Microsoft Support Tools.

Procedure

On a computer with the Microsoft Support Tools installed (it is not necessary to be logged in as a privileged user), execute the following command, replacing the <database account name>, <REALM>, <crypto algorithm>, and <database account password> with the appropriate values. <crypto algorithm> can be one of aes128-sha1 or aes256-sha1. Make sure that the selected crypto algorithm is also specified in the krb5.conf file.
Note: All values are case sensitive.
```
> ktpass /princ <database account name>@<REALM> /ptype krb5_nt_principal /
crypto <crypto algorithm> /out spotfire-database.keytab  -kvno 0 /pass <database account password>
```
Note: It is not critical to use the name "spotfire‐database.keytab" for the keytab file, but the following instructions assume that this name is used.
Example of creating a keytab file for the Spotfire database account named "spotuser" in the research.example.com domain:
```
> ktpass /princ spotuser@RESEARCH.EXAMPLE.COM /ptype krb5_nt_principal / crypto
aes128-sha1 /out spotfire-database.keytab -kvno 0 /pass spotuserpassword
```
Copy the spotfire-database.keytab file to the directory <installation dir>\tomcat\spotfire-config (Windows) or <installation dir>/tomcat/spotfire-config (Linux) in Spotfire Server.

Note: Because this file contains sensitive information, it must be handled with care. The file must not under any circumstances be readable by unauthorized users.

Note: If you change the password of the Kerberos service account, you must re-create the keytab file.