4 Replies Latest reply on Feb 9, 2010 12:22 PM by Bill Robinson

    AD Configuration Steps

    young so

      I thought configuring AD authentication was too spread out.  So, I decided to put it into one place.




      1.       Create an Active Directory user account.

      2.       Associate a service principal name with the user account.

      3.       Export the user account and SPN information into a keytab file. After you create the keytab file, you must give this file and the SPN to the administrator


      Creating a User Account in the Domain

      1.       On a Windows 2000 or 2003 Server, from the Start menu, select Programs > Administrative Tools > Active Directory Users and Computers. The Active Directory Users and Computers window displays.

      2.       Right click the Users folder and select New > User. The New Object – User wizard displays.

      3.       For First name, enter a name, such as blauthsvc. For User logon name, enter the name again. In this example, you would enter blauthsvc again.

      4.       Click Next. The second screen of the wizard displays, requesting password information.

      5.       For Password, set the password to whatever you want. Be sure to use a password that conforms to the Active Directory password policy. Then check Password never expires.

      6.       Click Next. The final summary page of the wizard displays.

      7.       Click Finish to dismiss the wizard.

      8.       From the Active Directory Users and Computers window, do the following:

      9.       Make sure the domain name for the Application Server is expanded so that it shows the Users folder in the left column.

      a.       Click the Users folder, then double-click the blauthsvc user in the right column. The Properties window for that user displays.

      b.      Click the Account tab.

      c.       Under Account Options, check Use DES encryption types for this account.

      d.      Click OK


      Export the user account and SPN information into a keytab

      1.       Use the ktpass command-line utility to export the keytab file.  Run this utility in a directory suitable for writing a file with sensitive data. Do one of the following:

      In a Windows 2003 environment, enter the following command:

      ktpass -out blauthsvc.keytab

      -princ blauthsvc/<instance>@<DOMAIN>

      -mapuser blauthsvc@<DOMAIN> +rndPass -minPass 33

      -ptype KRB5_NT_PRINCIPAL -crypto DES-CBC-MD5

      BMC BladeLogic recommends using version 5.2.3790.2732 of ktpass.exe.

      2.       where <instance> is the instance of this Application Server (typically a hostname) and <DOMAIN> is the realm where the Application Server is running. (This is the realm/domain that appeared next to the User logon name when you created the blauthsvc user.)


      Here is requirements:

      Windows 2003
      Windows 2000
      ktpass.exeProvided as part of Windows 2003
      Support Tools Service Pack 1
      Provided as part of Support Tools
      setspn.exeProvided as part of Windows 2003
      Support Tools Service Pack 1
      Included with the purchase of the
      Windows Resource Kit or as a free