Configure the following fields on the Keytab Entry
dialog:
Kerberos Principal:
Select an existing Kerberos Principal from the dropdown or add a new
one by clicking on the Add buttons. You can configure
Kerberos Principals globally on the External Connections
tab in the Policy Studio. For more information on configuring
Kerberos Principals, see the
Kerberos Principals topic.
Password:
The password entered here is used to seed the encryption algorithm(s)
selected below.
Encryption Types:
The encryption types selected here determine the algorithms used
to generate the encryption keys that will be stored in the Keytab file.
In cases where the Keytab file contains multiple keys for the Principal,
the encryption type is used to select an appropriate encryption key.
To ensure maximum interoperability between Kerberos Clients/Services
configured within the Enterprise Gateway and different types of KDC, all
encryption types are selected by default. With this configuration, the
generated Keytab file will contain a separate encryption key for each
encryption type listed here where each key is mapped to the Principal
name selected above.
It is important to ensure that the required encryption types exist in the
Keytab as defined by settings in the krb5.conf . In
order for a Kerberos Client to request a Ticket Granting Ticket, it must
have at least one key that matches one of the encryption types listed in
the "default_tkt_enctypes" setting in the krb5.conf
file. A Kerberos Service will require a key of a certain encryption type
to be able to decrypt the service ticket presented by a client.
Note that, by default, for Windows 2003 Active Directory, the service
ticket is encrypted using the rc4-hmac encryption
type. However, if the service user has the "Use DES encryption types
for this account" option enabled, the
des-cbc-md5 encryption type is used.
|