Security Guide

10.4.1
- 10.5.5
- 10.5.4
- 10.5.3
- 10.5.2
- 10.5.1
- 10.5

Back Next

Generate the Keytab Files

Generate the keytab files used to authenticate Informatica users and services.

You use the Microsoft Windows Server ktpass utility to generate a keytab file for each user account you created in Active Directory. You must generate the keytab files on a member server or on a domain controller within the Active Directory domain. You cannot generate keytab files on a workstation operating system such as Microsoft Windows 7.

To use ktpass to generate a keytab file, run the following command:

ktpass.exe -out  <keytab filename> -princ <service principal name> -mapuser <user account> [-pass <user account password>] -crypto <key types> -ptype <principal type> [-target <realm name>]

The following table describes the command options:

Option	Description
-out	The file name of the Kerberos keytab file to generate as shown under the KEY_TAB_NAME column in the SPNKeytabFormat.txt file.
-princ	The service principal name displayed under the SPN column in the SPNKeytabFormat.txt file. If the domain uses Kerberos cross realm authentication, the service principal name must be unique across all Kerberos realms.
-mapuser	The Active Directory user account to associate with the SPN. The account name can be a maximum of 20 characters.
-pass	The password set in Active Directory for the Active Directory user account, if applicable.
-crypto	Specifies the key types generated in the keytab file. Set to all to use all supported cryptographic types.
-ptype	The principal type. Set to KRB5_NT_PRINCIPAL.
-target	The name of the realm to which the Active Directory server belongs. Include this option if the following error occurs when you run the utility: DsCrackNames returned 0x2 in the name