Installation and Configuration Guide > Part II: Before You Install the Services > Prepare for Kerberos Authentication > Create the Service Principal Names and Keytab Files
  

Create the Service Principal Names and Keytab Files

After you generate the list of SPN and keytab file names in Informatica format, send a request to the Kerberos administrator to add the SPNs to the Kerberos principal database and create the keytab files.
Use the following guidelines when you create the SPN and keytab files:
The user principal name (UPN) must be the same as the SPN.
When you create a user account for the service principal, you must set the UPN with the same name as the SPN. The application services in the Informatica domain can act as a service or a client depending on the operation. You must configure the service principal to be identifiable by the same UPN and SPN.
A user account must be associated with only one SPN. Do not set multiple SPNs for one user account.
Enable delegation in Microsoft Active Directory.
You must enable delegation for all user accounts with service principals used in the Informatica domain. In the Microsoft Active Directory Service, set the Trust this user for delegation to any service (Kerberos only) option for each user account that you set an SPN.
Delegated authentication happens when a user is authenticated with one service and that service uses the credentials of the authenticated user to connect to another service. Because services in the Informatica domain need to connect to other services to complete an operation, the Informatica domain requires the delegation option to be enabled in Microsoft Active Directory.
Use the ktpass utility to create the service principal keytab files.
Microsoft Active Directory supplies the ktpass utility to create keytab files. Informatica supports Kerberos authentication only on Microsoft Active Directory and has certified only keytab files that are created with ktpass.
The keytab files for a node must be available on the machine that hosts the node. By default, the keytab files are stored in the following directory: <Informatica installation directory>/isp/config/keys. During installation, you can specify a directory on the node to store the keytab files.
When you receive the keytab files from the Kerberos administrator, copy the keytab files to a directory that is accessible to the machine where you plan to install the Informatica services. When you run the Informatica installer, specify the location of the keytab files. The Informatica installer copies the keytab files to the directory for keytab files on the Informatica node.

Troubleshooting the Service Principal Names and Keytab Files

You can use Kerberos utilities to verify that the service principal and keytab file names created by the Kerberos administrator match the service principal and keytab file names that you requested. You can also use the utilities to determine the status of the Kerberos key distribution center (KDC).
You can use Kerberos utilities such as setspn, kinit and klist to view and verify the SPNs and keytab files. To use the utilities, ensure that the KRB5_CONFIG environment variable contains the path and file name of the Kerberos configuration file.
Note: The following examples show ways to use the Kerberos utilities to verify that SPNs and keytab files are valid. The examples might be different than the way that the Kerberos administrator uses the utilities to create the SPNs and keytab files required for the Informatica domain. For more information about running the Kerberos utilities, see the Kerberos documentation.
Use the following utilities to verify the SPNs and keytab files:
klist
You can use klist to list the Kerberos principals and keys in a keytab file. To list the keys in the keytab file and the time stamp for the keytab entry, run the following command:
klist -k -t <keytab_file>
The following output example shows the principals in a keytab file:
Keytab name: FILE:int_srvc01.keytab
KVNO Timestamp Principal
---- ----------------- --------------------------------------------------------
3 12/31/69 19:00:00 int_srvc01/node01_vMPE/Domn96_vMPE@REALM
3 12/31/69 19:00:00 int_srvc01/node01_vMPE/Domn96_vMPE@REALM
3 12/31/69 19:00:00 int_srvc01/node01_vMPE/Domn96_vMPE@REALM
3 12/31/69 19:00:00 int_srvc01/node01_vMPE/Domn96_vMPE@REALM
3 12/31/69 19:00:00 int_srvc01/node01_vMPE/Domn96_vMPE@REALM
kinit
You can use kinit to request a ticket-granting ticket for a user account to verify that the KDC is running and can grant tickets. To request a ticket-granting ticket for a user account, run the following command:
kinit <user_account>
You can also use kinit to request a ticket-granting ticket and verify that the keytab file can be used to establish a Kerberos connection. To request a ticket-granting ticket for an SPN, run the following command:
kinit -V -k -t <keytab_file> <SPN>
The following output example shows the ticket-granting ticket created in the default cache for a specified keytab file and SPN:
Using default cache: /tmp/krb5cc_10000073
Using principal: int_srvc01/node01_vMPE/Domn96_vMPE@REALM
Using keytab: int_srvc01.keytab
Authenticated to Kerberos v5
setspn
You can use setspn to view, modify, or delete the SPN of an Active Directory service account. On the machine that hosts the Active Directory service, open a command line window and run the command.
To view the SPNs that are associated with a user account, run the following command:
setspn -L <user_account>
The following output example shows the SPN associated with the user account is96svc:
Registered ServicePrincipalNames for CN=is96svc,OU=AllSvcAccts,OU=People,
DC=ds,DC=intrac0rp,DC=zec0rp:
int_srvc01/node02_vMPE/Domn96_vMPE
To view the user accounts associated with an SPN, run the following command:
setspn -Q <SPN>
The following output example shows the user account associated with the SPN int_srvc01/node02_vMPE/Domn96_vMPE:
Checking domain DC=ds,DC=intrac0rp,DC=zec0rp
CN=is96svc,OU=AllSvcAccts,OU=People,DC=ds,DC=intrac0rp,DC=zec0rp
int_srvc01/node02_vMPE/Domn96_vMPE

Existing SPN found!
To search for duplicate SPNs, run the following command:
setspn -X
The following output example shows multiple user accounts associated with one SPN:
Checking domain DC=ds,DC=intrac0rp,DC=zec0rp
Processing entry 1125
HOST/mtb01.REALM is registered on these accounts:
CN=Team1svc,OU=AllSvcAccts,OU=People,DC=ds,DC=intrac0rp,DC=zec0rp
CN=MTB1svc,OU=IIS,OU=WPC960K3,OU=WINServers,DC=ds,DC=intrac0rp,DC=zec0rp
Note: Searching for duplicate SPNs can take a long time and a large amount of memory.
kdestroy
You can use kdestroy to delete the active Kerberos authorization tickets and the user credentials cache that contains them. If you run kdestroy without parameters, you delete the default credentials cache.