Unsupported content This version of the documentation is no longer supported. However, the documentation is available for your convenience.You will not be able to leave comments.

Exporting and copying the keytab file

The Authentication Server needs a keytab file so it can connect to the Active Directory server via the LDAP protocol and validate a user when refreshing session credentials. This topic describes how to export and copy a keytab file from the Active Directory server.

You must provide the keytab file to the administrator of the Authentication Server for reports.

To export and copy the keytab file

  1. Use the ktpass command-line utility to export the keytab file as follows. Run this utility in a directory suitable for writing a file with sensitive data. Do one of the following steps:

    • In Microsoft Windows Server 2003 environment, enter the following command:

      ktpass -out blauthsvc.keytab
        -princ blauthsvc/<instance>@<DOMAIN>
        -mapuser blauthsvc@<DOMAIN> +rndPass -minPass 33
        -ptype KRB5_NT_PRINCIPAL -crypto DES-CBC-MD5

      <instance> is the instance of the Authentication Server for reports (typically a host name) and <DOMAIN> is the domain where the Authentication Server is running. (This realm or domain appeared next to the User logon name when you created the blauthsvc user.) For example:

      ktpass -out blauthsvc.keytab
              -princ blauthsvc/app4@SUB2.DEV.MYCOMPANY.COM
              -mapuser blauthsvc@SUB2.DEV.MYCOMPANY.COM +rndPass -minPass 33
              -ptype KRB5_NT_PRINCIPAL -crypto DES-CBC-MD5

    • In a Windows Server 2000 environment, enter the following command:

      ktpass -out blauthsvc.keytab
        -princ blauthsvc/<instance>@<DOMAIN>
        -mapuser blauthsvc -pass * -ptype KRB5_NT_PRINCIPAL
        -crypto DES-CBC-MD5 -kvno 1
  2. Provide the following information to the administrator of the Authentication Server:
    • The newly created blauthsvc.keytab file. The blauthsvc.keytab file contains key material, so transfer it between systems with care. The Authentication Service needs this keytab to allow users to authenticate.

    • The SPN used in the keytab file. For example:

      blauthsvc/app4

    • The name of the domain (that is, the Kerberos realm) for the Authentication Server. For example:

      SUB2.DEV.MYCOMPANY.COM
  3. Do one of the following steps:
    • On UNIX, copy the file to the /br directory.
      For example, if BMC Decision Support for Server Automation is installed in the default location, you would copy the file to the /usr/local/bmc/BDSSA/br directory.
    • On Microsoft Windows, copy the file to the \br directory.
      For example, if BMC Decision Support for Server Automation is installed in the default location, you would copy the file to the C:\Program Files\BMC Software\BDSSA\br directory.

 

 

Tip: For faster searching, add an asterisk to the end of your partial query. Example: cert*