ktpass for kerberos user credentials

  • Posted on: 1 February 2008
  • By: markus.wilhelm

for SSO to your SAP systems with Kerberos you will ahve to create a keytab file where the user credentials are stored to. this is a small step by step guide how to do this.

ktpass -out sapsnc.keytab -princ sapsnc@yourdomain.com -pass yourPassword -kvno 3

This should be the output:

Key created.
Output keytab to sapsnc.keytab:
Keytab version: 0x502
keysize 49 sapsnc@yourdomain.com ptype 1 (KRB5_NT_PRINCIPAL) vno 3 etype 0x3
DES-CBC-MD5) keylength 8 (0xab618a8a5ddadcda)

The kvno command is based on the kvno value you receive from kerberos command line plus one. So if you retrieve let's say the value 2, than you will have to set it to three (like in the above example). If you installed kerberos to /usr/krb/ you will find the binaries your need for this here:

/usr/krb5/bin/kvno sapsnc@yourdomain.com

You can find the ktpass executable int our download database

You wil have to import the keytab file into Kerberos, therefor you have to execute the ktutil from Kerberos as follows:

ktutil: rkt /home/SIDadm/sapsnc.keytab
ktutil: wkt /etc/krb5.keytab
ktutil: l (shows a list of Kerberos principals)
ktutil: q