Generating a KEYTAB file (Kerberos)
Best practice to generate a KEYTAB is during the Nintex RPA Server installation as the Nintex RPA Server wizard provides you with convenient tools to perform this action.
You can generate a KEYTAB file once you get to the Authentication Platform Security step in the Nintex RPA installation wizard.
-
To generate the KEYTAB script, you can use the "copy command to clipboard" or the "save command to batch file".
-
If you are installing on one primary machine, this is how the generic CLI script is formatted:
-
ktpass -out filename.keytab -princ "HTTP/{FQDN}@DOMAIN" -mapUser "userPrincipalName" -mapOp set -pass "password" -crypto all -pType KRB5_NT_PRINCIPAL -setupn -setpass
-
If you are installing on more than one machine (High-Availability), the generated script adds a dedicated line for every additional serve and includes the FDQNs of the servers. This is how the generic CLI script for two machines is formatted:
-
ktpass -out filename.keytab -princ "HTTP/{FQDN}@DOMAIN" -mapUser "userPrincipalName" -mapOp set -pass "password" -crypto all -pType KRB5_NT_PRINCIPAL -setupn -setpass -mapOp add -in filename.keytab
-
-
Store the KEYTAB file at
{InstallFolder}\IDP\Aerobase\Configuration\{filename}.keytab
To use KEYTAB file for Single Sign-on (Kerberos) Authentication, you need to set up the SPN with this command: Setspn -s "HTTP/<Server_FQDN>" "domain\username"
.
For more information, see Adding another LDAP user federation.
-Take me to the relevant step in the RPA Installation Guide-