Reputation: 3
Do we require a keytab entry for all AD users for kerberos based authentication?
I have a web application deployed on jboss. As of now we have implemented NTLMHttpFilter provided by https://www.jcifs.org/. As this java filter supports only NTLMV1, now i need to update my authentication to kerberos based authentication to support kerberos using spnego, but i still not sure, do i have to generate a keytab file for all existing application user. if yes how do i update keytab password every time when user update its windows password? Also Please let me know the keytab location for Service account and user account ?My intention here is providing a promptless sso feature using integrated windows authentication.
Upvotes: 0
Views: 321
Answers (1)
Reputation: 2744
You only need a keytab file for the service account of your application, not for every user. The user requests a service ticket for the application from the KDC.
Upvotes: 0
Related Questions
- Is the ktpass command disable password authentication
- Is it safe to place a keytab on a external server
- Windows AD and Its Key tab File
- If a Kerberos keytab has multiple entries, how keep wrong person from using an entry?
- Creating a keytab to use with kinit in Windows
- What goes on when using kinit with a keytab file
- Understanding Kerberos principals
- Is an SPN required when using Kerberos with DCOM?
- Kerberos - SPN and keytabs
- Why does the Server need access to Kerberos?