Kerberos Keytab

• Overview
• Configuration

Overview

The Kerberos Keytab file contains mappings between Kerberos Principal names and DES-encrypted keys that are derived from the password used to login to the Kerberos KDC (Key Distribution Center). The purpose of the Keytab file is to allow the user to access distinct Kerberos Services without being prompted for a password at each Service. Furthermore, it allows scripts and daemons to login to Kerberos Services without the need to store clear-text passwords or for human intervention.

It is important to note that anyone with read access to the Keytab file will have full control of all keys contained within the file. For that reason it is imperative that the Keytab file is protected using very strict file-based access control.

The Keytab Entry dialog, which is available from the Secret Key section on both the Kerberos Client and Kerberos Service screens after clicking the Add Principal button, is essentially a graphical interface to entries in a Kerberos Keytab file.

This dialog allows you to generate keytab entries. Entries may be removed from the Keytab file by clicking the Delete Entry button on the Kerberos Client and Kerberos Service screens. You can confiugure Kerberos Clients and Kerberos Services on the External Connections tab in the Policy Studio.

Each key entry in the file is identified by a Kerberos Principal and an encryption type. For this reason, the Keytab file may hold multiple keys for the same principal where each key has a different encryption type. It may also contain keys for several different Principals.

In cases where the Keytab file contains encryption keys for different Principals, at run-time the Kerberos Client or Service will only consider keys mapped to the Principal name selected in the Kerberos Principal dropdown on their respective screens.

If the Keytab file contains several keys for the Principal, the Kerberos Client or Service will use the key with the strongest encryption type as agreed during the negotiation of previous messages with the Kerberos Key Distribution Center (KDC).

Configuration

Configure the following fields on the Keytab Entry dialog:

Kerberos Principal:
Select an existing Kerberos Principal from the dropdown or add a new one by clicking on the Add buttons. You can configure Kerberos Principals globally on the External Connections tab in the Policy Studio. For more information on configuring Kerberos Principals, see the Kerberos Principals topic.

Password:
The password entered here is used to seed the encryption algorithm(s) selected below.

Encryption Types:
The encryption types selected here determine the algorithms used to generate the encryption keys that will be stored in the Keytab file. In cases where the Keytab file contains multiple keys for the Principal, the encryption type is used to select an appropriate encryption key.

To ensure maximum interoperability between Kerberos Clients/Services configured within the Enterprise Gateway and different types of KDC, all encryption types are selected by default. With this configuration, the generated Keytab file will contain a separate encryption key for each encryption type listed here where each key is mapped to the Principal name selected above.

It is important to ensure that the required encryption types exist in the Keytab as defined by settings in the krb5.conf. In order for a Kerberos Client to request a Ticket Granting Ticket, it must have at least one key that matches one of the encryption types listed in the "default_tkt_enctypes" setting in the krb5.conf file. A Kerberos Service will require a key of a certain encryption type to be able to decrypt the service ticket presented by a client.

Note that, by default, for Windows 2003 Active Directory, the service ticket is encrypted using the rc4-hmac encryption type. However, if the service user has the "Use DES encryption types for this account" option enabled, the des-cbc-md5 encryption type is used.