Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision
Previous revision
72:setup_directory [2018/11/30 12:18]
evt [Setup Active Directory]
72:setup_directory [2020/03/04 11:43] (current)
Thomas Weinlein [Setup Active Directory]
Line 13: Line 13:
  -out <​output-file>​  -out <​output-file>​
  ​-crypto rc4-hmac-nt  ​-crypto rc4-hmac-nt
 +
 </​code>​ </​code>​
  
-Now you have to securely transfer the keytab file to the Stages server.\\ +Note: The KERBEROS-REALM needs to be specified in upper case. The whole principal must exactly match the principal specified in the <font inherit/​Courier New,​Courier,​monospace;;​inherit;;​inherit>​jaas.conf</​font>​. 
-After exporting the keytab file, delegation has to be enabled on the trust account. Be aware that this can only be done after exporting the Kerberos key! Windows will not display this option, unless you have exported the key first. Select your trust account with the right mouse button and choose “Properties” from the context menu, click on the “Delegation” tab and check “Trust this user for delegation to any\\ + 
-service (Kerberos only)”.+Now you have to securely transfer the keytab file to the Stages server. 
 + 
 +=== Enable delegation === 
 + 
 +After exporting the keytab file, delegation has to be enabled on the trust account. Be aware that this can only be done after exporting the Kerberos key! Windows will not display this option, unless you have exported the key first. Select your trust account with the right mouse button and choose “Properties” from the context menu, click on the “Delegation” tab and check “Trust this user for delegation to any service (Kerberos only)”. 
 + 
 +=== To use a more secure encryption for the keytab file === 
 + 
 +Execute the ktpass command as above but with e.g. -crypto AES256-SHA1.\\ 
 +After exporting the keytab file, delegation has to be enabled as described above. Additionally Kerberos AES256 encryption has to be enabled for your trust account. Select your trust account with the right mouse button and choose “Properties” from the context menu, click on the “Account” tab and check “This account supports Kerberos AES 256 bit encryption”.