This functionality of merging keytabs is now built into Kantega Single Sign-On. Therefore this guide is only here for historical purposes. The information on the page is still relevant if you need to use ktutil to merge keytab files in other cases.
Kantega SSO can be used with keytab files containing any number of Kerberos keys.
This is useful when:
- You need to support more than one Active Directory domain, but the domains are not in a trust relationship
- You need to support more than one host name / SPN (some clients do not canonicalize CNAMES)
- You want to support more than one encryption type
Keys from individual keytab files must be merged into a single keytab file before they can be used.
If there is a trust relationship between your domains, please read Cross domain trust instead.
Merging keys using Kantega SSO
From version 2.8.0, Kantega SSO has built-in support for merging keytab files.
All you need to do is to select "Add to existing keytab" when uploading keytab files.
Merge keytab files using external tools
If you need to merge keytab files for use outside our add-on, here are two ways of doing it:
Merge using ktpass with the /in parameter
In the example below we want to enable Kerberos SSO for users in the two domains example.local and kerbauth.com
After creating the first keytab the keytab file is transferred to conf domain controller where a new key is produced and added to the keytab.
The output is a new keytab file with keys from both domains.
In both domains we need to create a separate user account (mapuser) for mapping the SPN.
When adding a principal to the Keytab, we use the first keytab as an -in argument creating a new keytab with both keys.
Step 1: Create the keytab for the domain to be merged (the second/third domain)
First, create a keytab file in the KERBAUTH.COM domain.
Step 2: Adding a principal to the keytab
After transferring the keytab file from a domain controller in the first domain, the ktpass command is run with the keytab file from the other domain as an -in parameter in the second domain. The result is a new keytab file with both keys.
Merge using ktutil Linux/Unix command line tool
ktutil is a linux command most commonly found in the krb5-workstation package. The advantages of using ktutil is that instead of adding SPN to an existing keytab file, it can be used to merge two Keytabs without increasing the version number of the SPN.
It also supports updating the Keytab file with multiple versions of an SPN, which can be useful in cases where multiple versions of the same SPN must coexist, like when changing encryption types.
Merge two or more keys to one keytab file
In the below example we have two keys: issues.example.com.keytab and issues-KERBAUTH.keytab
- We use ktutil to read both keys (read_kt)
- We output the keyts to a single file (write_kt)
- The output is one merged file: merged_keytab_file.keytab
After uploading the latest generated keytab file, SSO should work on issues.example.com for users in both domains.
|The user betty Blue from the domain KERBAUTH.COM is able to SSO into issues.example.com||The user Mark Miller from the domain EXAMPLE.LOCAL is able to SSO into issues.example.com|