Generating Kerberos Keytab File - Dell iDRAC7 User Manual

The Network page is displayed.
2. Provide a valid Preferred/Alternate DNS Server IP address. This value is a valid DNS server IP address that is part
of the root domain.
3. Select Register iDRAC on DNS.
4. Provide a valid DNS Domain Name.
5. Verify that network DNS configuration matches with the Active Directory DNS information.
For more information about the options, see the

Generating Kerberos Keytab File

To support the SSO and smart card login authentication, iDRAC7 supports the configuration to enable itself as a
kerberized service on a Windows Kerberos network. The Kerberos configuration on iDRAC7 involves the same steps as
configuring a non–Windows Server Kerberos service as a security principal in Windows Server Active Directory.
The ktpass tool (available from Microsoft as part of the server installation CD/DVD) is used to create the Service
Principal Name (SPN) bindings to a user account and export the trust information into a MIT–style Kerberos
which enables a trust relation between an external user or system and the Key Distribution Centre (KDC). The keytab file
contains a cryptographic key, which is used to encrypt the information between the server and the KDC. The ktpass tool
allows UNIX–based services that support Kerberos authentication to use the interoperability features provided by a
Windows Server Kerberos KDC service. For more information on the ktpass utility, see the Microsoft website at:
technet.microsoft.com/en-us/library/cc779157(WS.10).aspx
Before generating a keytab file, you must create an Active Directory user account for use with the -mapuser option of
the ktpass command. Also, you must have the same name as iDRAC7 DNS name to which you upload the generated
keytab file.
To generate a keytab file using the ktpass tool:
ktpass utility on the domain controller (Active Directory server) where you want to map iDRAC7 to a user
1. Run the
account in Active Directory.
2. Use the following ktpass command to create the Kerberos keytab file:
C:\> ktpass.exe -princ HTTP/idrac7name.domainname.com@DOMAINNAME.COM -
mapuser DOMAINNAME\username -mapOp set -crypto AES256-SHA1 -ptype
KRB5_NT_PRINCIPAL -pass [password] -out c:\krbkeytab
The encryption type is AES256-SHA1 . The principal type is KRB5_NT_PRINCIPAL. The properties of the user
account that the Service Principal Name is mapped to should have Use AES 256 encryption types for this account
property enabled.
NOTE: Use lowercase letters for the iDRAC7name and Service Principal Name. Use uppercase letters for the
domain name as shown in the example.
3. Run the following command:
C:\>setspn -a HTTP/iDRAC7name.domainname.com username
A keytab file is generated.
NOTE: If you find any issues with iDRAC7 user for which the keytab file is created, create a new user and a
new keytab file. If the same keytab file which was initially created is again executed, it does not configure
correctly.
146
iDRAC7 Online Help .
keytab file,