Adding Kerberos keytabs
Prerequisites
- Check that forward and reverse DNS are working.
- Check that all clocks are in sync. More than a five-minute clock drift will cause authentication to fail.
Procedure
- On the SERVICES menu, under the Authentication submenu, click Kerberos keytabs.
- Click Add new keytab and in the Add new keytab dialog, enter a meaningful Name for the keytab.
- Click Choose File, select the keytab file.
- Enter a descriptive Comment and click Add.
- Repeat the previous steps for any other keytabs you need to import.
Follow-up tasks
- To edit a keytab:
- Under the Kerberos keytabs section, place your mouse cursor over the keytab and click Edit.
- Make any changes.
- To turn off the keytab, clear the Enabled option.
- Click Save.
- To delete a keytab:
- Under the Kerberos keytabs section, place your mouse cursor over the keytab and click Delete.
- When prompted, click Delete. The Smoothwall deletes the keytab.
Troubleshooting a Kerberos service
Make sure of the following when troubleshooting a service that uses Kerberos:
- Make sure that all the prerequisites have been met.
- Try another browser for fault-finding.
- In a Safari browser, try the fully qualified domain name (FQDN) if the short form doesn't work.
- See if the user logged on before the keytab was created. Try logging off then on again.
- See if the user logged on before the Smoothwall connected to the domain. Try logging off then on again.
- Make sure that you're logged on with a domain account.
- When exporting your own keytabs:
- Make sure that the keytab contains keys with the same type of cryptography as that used by the client.
- The “HTTP” in the service principal name (SPN) must be in uppercase.
- The keytab should contain SPNs containing the short and fully qualified forms of each hostname.