Verifying a keytab file

Use this procedure to verify that the keytab file you have generated can be used to authenticate. This procedure is not essential, but BMC recommends performing this step to confirm that you have successfully set up authentication based on AD/Kerberos.

To verify a keytab file

1. Copy the blappserv_krb5.conf file you set up for the Authentication Server to one of the following locations:
   • (Windows): <WINDIR>\krb5.ini
     <WINDIR> is typically windows.
     
   • (Solaris): /etc/krb5/krb5.conf
     
   • (All UNIX platforms except Solaris): /etc/krb5.conf
     For more information about the blappserv_krb5.conf file, see Creating the blappserv_krb5.conf file (AD Kerberos).
     
2. Identify the service account name from the keytab file by entering one of the following:
   • (Windows): <installDirectory>\jre\bin\klist -k -t <keytabFile>
   • (UNIX): <utilityPath>/klist -k -t <keytabFile>
     In this command, <utilityPath> provides the path to the klist utility. If you do not have klist installed on a UNIX system, you must first obtain it. Many online sources for Kerberos utilities exist, such as klist.
     The variable <keytabFile> identifies the location of the keytab file you are generating. Typically, <keytabFile> is set to <installDirectory>/br. For example, if TrueSight Server Automation is installed in the default location, the keytab file for Windows would be
     C:\Program Files\BMC Software\BladeLogic\NSH\br\blauthsvc.keytab
     Running the klist command generates output that identifies the service principal. For example, if you used the example names shown in Sample domain structure, this command might identify a service principal called blauthsvc/app4@SUB2.DEV.MYCOMPANY.COM.
     
3. Using the results of the previous step, authenticate to Active Directory by entering one of the following:
   • (Windows): <installDirectory>\jre\bin\kinit -k -t <keytabFile> <servicePrincipal>
   • (UNIX): <utilityPath>/kinit -k -t <keytabFile> <servicePrincipal>
     In this command, <utilityPath> provides the path to the kinit utility. If you do not have kinit installed on a UNIX system, you must first obtain it.
     The variable <keytabFile> identifies the location of the keytab file and <servicePrincipal> is the entity identified in the previous step.
     If this command runs successfully, you should be able to authenticate with AD/Kerberos. If the command does not succeed, verify that the default_realm you have set up in blappserv_krb5.conf is correct.