A keytab is a file containing pairs of Kerberos principals and encrypted keys. A keytab file is created for applications that require single sign-on. Unified Access Gateway identity bridging uses a keytab file to authenticate to remote systems using Kerberos without entering a password.
When a user is authenticated into Unified Access Gateway from the identity provider, Unified Access Gateway requests a Kerberos ticket from the Kerberos Domain Controller to authenticate the user.
Unified Access Gateway uses the keytab file to impersonate the user to authenticate to the internal Active Directory domain. Unified Access Gateway must have a domain user service account on the Active Directory domain. Unified Access Gateway is not directly joined to the domain.You can also generate the keytab file using the command-line. For example:
ktpass /princ HOST/[email protected] /ptype KRB5_NT_PRINCIPAL /pass * /out C:\Temp\kerberos.keytab /mapuser uagkerberos /crypto All
See the Microsoft documentation for detailed information about the ktpass command.
Prerequisites
You must have access to the Kerberos keytab file to upload to Unified Access Gateway. The keytab file is a binary file. If possible, use SCP or another secure method to transfer the keytab between computers.