6.6.3. Create KeytabΒΆ
Important
If a recorder is already configured with a keytab, generating a new keytab for the same recorder will invalidate the previous one and cause all Active Directory logins to fail until the newly generated keytab is imported and the recorder is restarted.
The keytab is used to authenticate the HTTP and POSTGRES service accounts with the active directory domain.
The keytab file must typically be generated on domain controller, and then will be imported to the recorder.
Open an elevated PowerShell and execute the script below. Replace the four variables with the values for your environment.
This command is case-sensitive. The below script will change the FQDN to lowercase, and the Kerberos Realm to uppercase.
- PowerShell
# Replace these variables $recorderUser = "NLRecorder" $recorderPassword = "1qazXSW2!@" $fullDomain = "contoso.net" $outputLocation = "C:\" # An existing directory path ending with "\" # DO NOT edit these variables $recorderFQDN = "$($recorderUser.ToLower()).$($fullDomain.ToLower())" $kerberosRealm = "$($fullDomain.ToUpper())" # Creates the initial keytab for the HTTP SPN Ktpass -out "$($outputLocation)NexLog_initial.keytab" ` -princ HTTP/$recorderFQDN@$kerberosRealm ` -mapUser "$($fullDomain.Split(".",2)[0])\$recorderUser" ` -mapOp set ` -pass $recorderPassword ` -crypto AES256-SHA1 ` -pType KRB5_NT_PRINCIPAL # Adds the POSTGRES SPN to the HTTP keytab Ktpass -in "$($outputLocation)NexLog_initial.keytab" ` -out "$($outputLocation)NexLog_final.keytab" ` -princ POSTGRES/$recorderFQDN@$kerberosRealm ` -mapUser "$($fullDomain.Split(".",2)[0])\$recorderUser" ` -mapOp add ` -setUpn ` -setPass ` -pass $recorderPassword ` -crypto AES256-SHA1 ` -pType KRB5_NT_PRINCIPAL
This should create two keytab files. The important one is the second one (named NexLog_final.keytab in the script); this second one is the one that will be uploaded to the recorder.