CA API Gateway 9.1

9.4 9.1

Generate a Kerberos Keytab File

To use the gateway in a Windows Domain Login configuration, you must generate and install a Kerberos keytab file.
gateway83
To use the
CA API Gateway
 in a Windows Domain Login configuration, you must generate and install a Kerberos keytab file.
(1) Refer to the diagram in Configure the Gateway for Kerberos Token-Based Authentication to see where this task fits within the configuration workflow. (2) Ensure that any user who requires access to the Windows service has a domain account. (3) Due to a limitation in the parser, always use a
lowercase
 '
http
' as shown in the code samples below.
Contents:
Step 1: Generate a Keytab File
  1. Log in to the domain controller or to some other server that is joined to the domain. Ensure the Windows Resources Tool Kit is installed.
  2. Open a command prompt (run as Administrator if necessary).
  3. Run the following command to create a principal for the Windows service, map it to the host, and creates a keytab file
    :
    ktpass –princ http/
    <Gateway_Cluster_Hostname>
    @DOMAIN.COM –mapuser 
    <user_Name>
     -pass 
    <user_Password>
     –out 
    <keytab_Name>
    Example:
    ktpass -princ http/gateway.domain.com@DOMAIN.COM -mapuser jsmith -pass $longpassword! -out kerberos.keytab
  4. Copy the keytab file to your local computer.
Step 2: Install the Keytab File
  2. Install the keytab file that you generated earlier using the
    Load Keytab
     button.
  3. Validate the keytab file using the
    Validate Keytab
     button. You should see something similar to the following in the Kerberos Configuration dialog:
    KDC:     10.0.0.1
    Realm:   EXAMPLE.CO
    Valid:   Yes
    Summary: Authentication successful
    If you do not see "Authentication successful", consult "Troubleshooting Keytab Issues" below for suggestions.
Troubleshooting Keytab Issues
The following are some common issues that you may encounter when installing your keytab file.
Issue:
 Hostname resolution
Solution:
 Ensure that the DNS entry for the Gateway Cluster hostname is configured for both forward and reverse DNS lookup.
Issue:
 Hostname mismatch
Solution:
 Ensure that the service name generated for the keytab matches the name that is set in the client Kerberos token.
Issue:
 Time skew
Solution:
 As with all token-based authentication, time representation between various entities in the infrastructure is critical for validation. Ensure that that Gateway cluster uses a time server. This time server must be synchronized with the Active Directory environment.
Issue:
 Incorrect encryption level
Solution:
 Older versions of the
ktpass
 command do not generate the keytab files with RC4-HMAC encryption. Instead, it uses DES-CBC-MD5. Download the latest
ktpass
 command from Microsoft.

Content feedback and comments