Kerberos Keytab

Contents

Overview

The Kerberos Keytab file contains mappings between Kerberos Principal names and DES-encrypted keys that are derived from the password used to log into the Kerberos Key Distribution Center (KDC). The purpose of the Keytab file is to allow the user to access distinct Kerberos Services without being prompted for a password at each Service. Furthermore, it allows scripts and daemons to login to Kerberos Services without the need to store clear-text passwords or for human intervention.

Important Note:
Anyone with read access to the Keytab file has full control of all keys contained in the file. For this reason, it is imperative that the Keytab file is protected using very strict file-based access control.

The Keytab Entry dialog, which is available from the Secret Key section on both the Kerberos Client and Kerberos Service screens after clicking the Add Principal button, is essentially a graphical interface to entries in a Kerberos Keytab file.

This dialog enables you to generate keytab entries. You can remove entries from the Keytab file by clicking the Delete Entry button on the Kerberos Client and Kerberos Service screens. You can configure Kerberos Clients and Kerberos Services under the External Connections node in the Policy Studio tree.

Each key entry in the file is identified by a Kerberos Principal and an encryption type. For this reason, the Keytab file may hold multiple keys for the same principal where each key has a different encryption type. It may also contain keys for several different Principals.

In cases where the Keytab file contains encryption keys for different Principals, at runtime the Kerberos Client or Service only considers keys mapped to the Principal name selected in the Kerberos Principal drop-down list on their respective screens.

If the Keytab file contains several keys for the Principal, the Kerberos Client or Service uses the key with the strongest encryption type as agreed during the negotiation of previous messages with the Kerberos Key Distribution Center (KDC).

Configuration

Configure the following fields on the Keytab Entry dialog:

Kerberos Principal:
Select an existing Kerberos Principal from the drop-down list or add a new one by clicking on the Add buttons. You can configure Kerberos Principals globally under the External Connections node in the Policy Studio tree. For more information on configuring Kerberos Principals, see the Kerberos Principals topic.

Password:
The password entered here is used to seed the encryption algorithm(s) selected below.

Encryption Types:
The encryption types selected here determine the algorithms used to generate the encryption keys that are stored in the Keytab file. In cases where the Keytab file contains multiple keys for the Principal, the encryption type is used to select an appropriate encryption key.

To ensure maximum interoperability between Kerberos Clients/Services configured in the Enterprise Gateway and different types of KDC, all encryption types are selected by default. With this configuration, the generated Keytab file contains a separate encryption key for each encryption type listed here where each key is mapped to the Principal name selected above.

It is important to ensure that the required encryption types exist in the Keytab as defined by settings in the krb5.conf. For a Kerberos Client to request a Ticket Granting Ticket, it must have at least one key that matches one of the encryption types listed in the default_tkt_enctypes setting in the krb5.conf file. A Kerberos Service requires a key of a certain encryption type to be able to decrypt the service ticket presented by a client.

Note:
For Windows 2003 Active Directory, by default, the service ticket is encrypted using the rc4-hmac encryption type. However, if the service user has the Use DES encryption types for this account option enabled, the des-cbc-md5 encryption type is used.