A keytab is a file containing pairs of Kerberos principals and encrypted keys. A keytab file is created for applications that require single sign-on. Unified Access Gateway identity bridging uses a keytab file to authenticate to remote systems using Kerberos without entering a password.

When a user is authenticated into Unified Access Gateway from the identity provider, Unified Access Gateway requests a Kerberos ticket from the Kerberos Domain Controller to authenticate the user.

Unified Access Gateway uses the keytab file to impersonate the user to authenticate to the internal Active Directory domain. Unified Access Gateway must have a domain user service account on the Active Directory domain. Unified Access Gateway is not directly joined to the domain.
Note: If the admin regenerates the keytab file for a service account, the keytab file must be uploaded again into Unified Access Gateway.

You can also generate the keytab file using the command-line. For example:

ktpass /princ HOST/[email protected] /ptype KRB5_NT_PRINCIPAL /pass * /out C:\Temp\kerberos.keytab /mapuser uagkerberos /crypto All

See the Microsoft documentation for detailed information about the ktpass command.

Prerequisites

You must have access to the Kerberos keytab file to upload to Unified Access Gateway. The keytab file is a binary file. If possible, use SCP or another secure method to transfer the keytab between computers.

Procedure

  1. In the Management Appliance Configuration Templates section, click Add.
  2. In the Identity Bridging Settings section, click Configure.
  3. In the Kerberos KeyTab Settings page, click Add New KeyTab.
  4. Enter a unique name as the identifier.
  5. (Optional) Enter the Kerberos principal name in the Principal Name text box.

    Each principal is always fully qualified with the name of the realm. The realm should be in uppercase.

    Ensure that the principal name entered here is the first principal found in the keytab file. If the same principal name is not in the keytab file that is uploaded, keytab upload fails.

  6. In the Select Keytab file text box, click Select and browse to the keytab file you saved. Click Open.
    If you did not enter the principal name, the first principal found in the keytab is used. You can merge multiple keytabs into one file.
  7. Click Save.