Using a Keytab File for Kerberos Authentication
A System Administrator can create the Kerberos keytab files used to authenticate user
accounts in the Vocera system.
When Kerberos authentication is enabled, you can upload a keytab file provided by a
Windows administrator to authenticate clients from multiple realms to the HTTP service.
The keytab files are generated on the user's Active Directory server.
Vocera LDAP Adapter is required for Kerberos keytab
generation. For information on the LDAP adapter configuration, refer to the Vocera
Adapters documentation section in the Vocera Documentation Portal.
generating the keytab file for Kerberos authentication, the System Administrator
- Obtain the domain name of the Vocera Platform cluster, and the name of a user account in Active Directory that
represents the Vocera Platform.
- Ensure that Kerberos is configured and working correctly on the user's
network. This configuration requires a service or computer account for the
host and an HTTP principal entry for that host, with a keytab file
containing a token for the HTTP principal placed on the Vocera Platform.
- Ensure that the computer's time is synchronized with the Active Directory
server; Vocera recommends NTP setup for the Vocera Platform to ensure the time is synchronized. For instructions to Configure Microsoft Active
Directory, refer to the RedHat website.
- Ensure that the Windows user account does not have "Do not require Kerberos
preauthorization" checked. In this example the box is checked; be sure to
uncheck this checkbox.
To generate a keytab file:
Issue the ktpass command to map the trusted host and generate
the keytab file. The following parameters are used in the command. The principal
and domain name case must match the case of the incoming request.
Specifies the name of the Kerberos version 5 .keytab file
This is the .keytab file that you
upload in the Vocera Platform Web Console on the Vocera Platform.
Specifies the service principal name that is being mapped
to, in the form
This parameter is case sensitive.
HTTP/<FQDN of computer>@<domain name>
Maps the name of the Kerberos principal user account
being mapped to, which is specified by the
princ parameter, to the
specified domain account.
<domain>\<user> -crypto All -pass <pass goes here> -ptype KRB5_NT_PRINCIPAL
On the Active Directory server, substituting the user's details in the
placeholders, enter the following command line:
ktpass -princ HTTP/<FQDN of computer>@<domain name> -mapuser
<domain>\<user> -crypto All -pass <pass goes here> -ptype
KRB5_NT_PRINCIPAL -out <filename>.keytab
Store the resulting keytab file on the Vocera system for upload in
Authentication Settings through the Vocera Platform Web Console.
(Optional) Instead of creating and uploading a separate file for each user as
described in step 2, you can add multiple users to an existing single keytab
file. Enter the ktpass -princ command for each distinct
'-mapuser' value that you need to upload in the keytab file.
ktpass -princ HTTPemail@example.com -mapuser KERBEROS1\testserver -pass * -in C:\testeserver.host.keytab -out C:\testeserver.host.keytab
See Configuring Authentication Settings for
information on uploading the generated keytab file to the Vocera Platform.