Skip to Main Content
Return to Navigation

Generating the Keytab File and Mapping the Service Principal Name

To generate the keytab file and map the service principal name:

Note: These steps assume that the server user is krbsrv and the domain is

  1. Open a command window by selecting Start, Run and then entering cmd in the Open field.

  2. In the command window, enter

    C:\>ktpass -princ HTTP/ -mapuser -crypto RC4-HMAC-NT -ptype KRB5_NT_PRINCIPAL -pass krbPass! -out c:\temp\krb5.keytab

    This calls the ktpass utility with these parameters:





    Specifies the service principal name in the form user@realm.


    Maps the name of the Kerberos principal specified by the princ parameter to the specified local user name.


    Sets the encryption type to use.


    Sets the principal type to Kerberos 5 for Microsoft Windows


    Causes the utility to prompt you for a password


    Specifies the name and location of the Kerberos version 5 .keytab file to generate.

  3. When prompted for the password, enter some value. This resets the password and does not have to match the one used when the user was created.

    Note: Make sure that the password meets domain security requirements or the utility fails.

  4. Verify that the command window output is similar to the following text. If so, the mapping is complete and the keytab file krb5.keytab is in the C:\temp directory.

    Key created.
    Output keytab to c:\temp\krb5.keytab:
    Keytab version: 0x502
    keysize 83 HTTP/ 
    ptype 1 (KRB5_NT_PRINCIPAL) vno 15 etype 0x17 (RC4-HMAC) 
    keylength 16 (0xdd74540caa4a230af2ed75558a37995d)

Service Principal Name Considerations

The SPN can include any possible URL. Valid SPNs for the domain include:

  • HTTP/

  • HTTP/

  • HTTP/localhost@EXAMPLE.COM

  • HTTP/

Browsers request the client-to-server tickets based on the URL that the user enters. If a page, for example, requests authentication, then the browser requests a client-to-server ticket for an SPN that is based on the website domain name: HTTP/

Although and might refer to the same physical machine, an authentication request from requests a client-to-server ticket for HTTP/ only, not HTTP/ In other words, an SPN mapping which uses the server DNS name is not applicable when the client visits the server site using its IP address.

In addition, Microsoft Active Directory will not proceed with the client-to-server ticket exchange unless the server machine is either in the same domain as the directory server or in a trusted domain. For example if references a machine on the directory server domain (or a domain it trusts), then the Kerberos ticket exchange proceeds. If is not in the same domain or a trusted domain of the directory server, then the exchange does not proceed, regardless of the site’s URL.

Consult your Microsoft Active Directory documentation for more information.