A Kerberos keytab is a file that contains pairs of Kerberos principals and encrypted keys. By importing and using Kerberos keytabs, The Smoothwall services, such as authentication, can use the interoperability features provided by Kerberos.
To generate keytabs, refer to the documentation delivered with your directory server.
To create authentication policies using Kerberos as the authentication method, see our help topic, Creating authentication policies.
Kerberos keytabs are turned on by default. You can turn off a Kerberos keytab, for example, when troubleshooting.
Use this page to import and use Kerberos keytabs, so that the Smoothwall services, such as authentication, can use the interoperability features provided by Kerberos.
Prerequisites
- When using Microsoft Active Directory for authentication, Kerberos keys are managed automatically. For other directory servers, it's necessary to import keytabs manually.
- Check that forward and reverse DNS are working.
- Check that all clocks are in sync. More than a five-minute clock drift will cause authentication to fail.
Procedure
- On the SERVICES menu, under the Authentication submenu, click Kerberos keytabs.
- Click Add new keytab and in the Add new keytab dialog, enter a meaningful Name for the keytab.
- Click Choose File, select the keytab file that contains pairs of Kerberos principals and encrypted keys.
- Enter a descriptive Comment and click Add.
- Repeat the previous steps for any other keytabs you need to import.
Follow-up tasks
- To edit a keytab:
- Under the Kerberos keytabs section, place your mouse cursor over the keytab and click Edit.
- Make any changes.
- To turn off the keytab, clear the Enabled option.
- Click Save.
- To delete a keytab:
- Under the Kerberos keytabs section, place your mouse cursor over the keytab and click Delete.
- When prompted, click Delete. The Smoothwall deletes the keytab.
Troubleshooting a Kerberos service
Make sure of the following when troubleshooting a service that uses Kerberos:
- Make sure that all the prerequisites have been met.
- Try another browser for fault-finding.
- In a Safari browser, try the fully qualified domain name (FQDN) if the short form doesn't work.
- See if the user logged on before the keytab was created. Try logging off then on again.
- See if the user logged on before the Smoothwall connected to the domain. Try logging off then on again.
- Make sure that you're logged on with a domain account.
- When exporting your own keytabs:
- Make sure that the keytab contains keys with the same type of cryptography as that used by the client.
- The “HTTP” in the service principal name (SPN) must be in uppercase.
- The keytab should contain SPNs containing the short and fully qualified forms of each hostname.