5.2. Exporting Keytab
Once you have created the user account for the application server, use the Ktpass utility to map the SPN account as a trusted host and export the keytab for the server:
- Issue the ktpass command to map the created user as a trusted host and generate the keytab file. The
-princ
option defines the service principal that is being mapped to and the-mapuser
option defines the user account being mapped to.ktpass
-princ
<service principal mapping>-out
<target keytab file>-pass
*
-mapuser
<user mapping>Example 5.1. ktpass command
ktpass
-princ
host/testserver@kerberos.jboss.org-out
C:\testeserver.host.keytab-pass
*
-mapuser
KERBEROS\testserver - When prompted, enter the user password.
- Issue the following command to display the available mappings and check if the new mapping is enlisted:
setspn.exe
-l
<user mapping>Example 5.2. setspn command
setspn.exe
-l
testserver