Home Learn the Basics View Content Add Content Create Pages Build Portlets Administer Page Groups Administer the Portal Try the Hands-On Exercises
Home
Home
Previous PageGo to page 1 of 8Go to page 2 of 8Go to page 3 of 8Current page 4 of 8Go to page 5 of 8Go to page 6 of 8Go to page 7 of 8Go to page 8 of 8Next Page
 

 

 

 

 

Generating your "keytab" file and testing your Kerberos login

Windows Native Authentication

Now we need to generate a "keytab" file that will be used by the SSO server to map the account name to the service principal name.

From the command line prompt use the "ktpass" command on your AD server to generate this file. Here is an example:

The command we used is:

C:\> ktpass -princ HTTP/aspen.us.oracle.com@ACME.COM -pass welcome1 -mapuser aspen -out aspen.keytab

The "-princ" value is "HTTP/" followed by the FQDN of your SSO server, followed by "@YOUR_AD_DEFAULT_REALM". This is case sensitive and you must have the AD default realm in upper case. The FQDN of the SSO server should lower case.

The "-pass" value must be set to the same password you assigned to the SSO hostname user account that you created in the AD server on the previous page.

The "-mapuser" value is the SSO hostname user you created in the AD server on the previous page.

The "-out" value is the name you want to give for the file output that is generated. Make the name meaningful as you will use it later in this exercise. Suggested format:

hostname.keytab

Once the keytab file is generated you will need to copy it to the $ORACLE_HOME/j2ee/OC4J_SECURITY/config directory on the SSO server.

Watch this viewlet to see how its done.

Now we need to test your Kerberos connection between your UNIX server and the AD server. This command works on most UNIX machines such as Solaris and Red Hat Linux. The "kinit" executable in Solaris is located in the /usr/bin directory. In Red Hat Linux it is located in the /

Here is a sample command you can use to test this:

# /usr/bin/kinit -k -t $ORACLE_HOME/j2ee/OC4J_SECURITY/config/aspen.keytab HTTP/aspen.us.oracle.com

Note: This is one command not three

Substitute your full Oracle home directory path where you see $ORACLE_HOME

Where you see "aspen.keytab" substitute the name of the keytab file you generated with the -out option when you ran the ktpass command earlier in this exercise.

Where you see "aspen.us.oracle.com" substitute the FQDN of the machine your SSO server is running on.

If you are successful, there should be no output at all from this command. You should just get another command prompt back. If you see any output this indicates an error and you will need to resolve this problem before you go any further.

Watch a viewlet to see how its done.
Oracle Logo Next Page