Page tree
Skip to end of metadata
Go to start of metadata

Background

Kantega SSO can be used with keytab files containing any number of Kerberos keys.

This is useful when:

  • You need to support more than one Active Directory domain, but the domains are not in a trust relationship
  • You need to support more than one host name / SPN (some clients do not canonicalize CNAMES) 
  • You want to support more than one encryption type


Keys from individual keytab files must be merged into a single keytab file before they can be used.

If there is a trust relationship between your domains, please read Cross domain trust instead.

Merging keys using Kantega SSO

From version 2.8.0, Kantega SSO has built-in support for merging keytab files.

All you need to do is to select "Add to existing keytab" when uploading keytab files.


Merge keytab files using external tools

If you need to merge keytab files for use outside our add-on, here are two ways of doing it: 

Merge using ktpass with the /in parameter

In the example below we want to enable Kerberos SSO for users in the two domains example.local and kerbauth.com

After creating the first keytab the keytab file is transferred to conf domain controller where a new key is produced and added to the keytab.

The output is a new keytab file with keys from both domains.

In both domains we need to create a separate user account (mapuser) for mapping the SPN.

When adding a principal to the Keytab, we use the first keytab as an -in argument creating a new keytab with both keys. 

Step 1: Create the keytab for the domain to be merged (the second/third domain)

First, create a keytab file in the KERBAUTH.COM domain.

ktpass /out c:\issues-KERBAUTH.keytab /mapuser KERBAUTH\svc-jira-sso /princ HTTP/issues.example.com@KERBAUTH.COM /pass * /ptype KRB5_NT_PRINCIPAL

 Step 2: Adding a principal to the keytab


After transferring the keytab file from a domain controller in the first domain, the ktpass command is run with the keytab file from the other domain as an -in parameter in the second domain. The result is a new keytab file with both keys.

ktpass /out EXAMPLE-merged-with-KERBAUTH.keytab /mapuser EXAMPLE\svc-jira-sso /princ HTTP/issues.example.com@EXAMPLE.LOCAL /pass * /ptype KRB5_NT_PRINCIPAL /in c:\issues-KERBAUTH.keytab

 


Merge using ktutil Linux/Unix command line tool

ktutil is a linux command most commonly found in the krb5-workstation package. The advantages of using ktutil is that instead of adding SPN to an existing keytab file, it can be used to merge two Keytabs without increasing the version number of the SPN.

It also supports updating the Keytab file with multiple versions of an SPN, which can be useful in cases where multiple versions of the same SPN must coexist, like when changing encryption types.

 

Merge two or more keys to one keytab file

In the below example we have two keys: issues.example.com.keytab and issues-KERBAUTH.keytab

  • We use ktutil to read both keys (read_kt)
  • We output the keyts to a single file (write_kt)
  • The output is one merged file: merged_keytab_file.keytab



After uploading the latest generated keytab file, SSO should work on issues.example.com for users in both domains.  

KERBAUTH.COMEXAMPLE.LOCAL

The user betty Blue from the domain KERBAUTH.COM is able to SSO into issues.example.comThe user Mark Miller from the domain EXAMPLE.LOCAL is able to SSO into issues.example.com

 






  • No labels