I need to create a Kerberos keytab file from Active Directory with three different SPNs.
It's no problem to add different SPNs with
setspn -a
but when I try to create a keytab file with
ktpass
only the given SPN will be saved to the keytab file.
How can I create a keytab file with all SPNs mapped to an AD account?
You actually can add multiple keys to a single keytab file using ktpass by specifying both the /in and /out params when appending to the file. The first command (which creates the .keytab file) should specify /out only, but for all subsequent additions you specify both /in and /out, with both pointing at the same file, and this will append the subsequent keys onto the existing keytab file specified.
Found this information here (more info and examples can be found at this link as well):
Note - the thread I linked mentions using the /mapop parameter as well in the subsequent commands; however, from my testing, this is unrelated to the goal of appending multiple keys to the same keytab. The purpose of /mapop is just for specifying whether you want to overwrite or append to the account's SPN list when ktpass registers the new SPN to the account (the default if omitted is to append). But it is not necessary to specify /mapop to append the new key to the existing keytab file.
You can't create a keytab with ktpass that will contain all of the principal's keys.
You must export them one by one with ktpass and merged them with ktutil (on Linux). There are other ways or tools to acheive the same thing, but this procedure works on my machine.
