How to create a keytab or service principal on windows

Kerberos Keytab

A keytab file is used to store the SPN(Service Principal) credentials for communicating with the KDC or AD Domain Controller or a Kerberos server. This file contains sensitive information to connect to the kerberos server without requiring a username and password.

This article provide a step by step procedure to create a Kerberos keytab on windows Active Directory server using ktpass tool.


  • How to create a keytab or service principal on windows?
  • Create a HTTP service principal for kerberos authentication.
  • Create service principal or keytab with ktpass utility.

Keytab or SPN information

We’ll create a HTTP service principal (SPN) for system. The keytab will be used by the web server running on .

Keytab configuration

Remember that a service principal is bound to a specific account on the AD server. In our case, we’ll bind http_svc account to the keytab created for system.

Execute the following command in the powershell or command line window to create a HTTP service principal.

ktpass -princ HTTP/ -mapuser http_svc@EXAMPLE.COM -crypto rc4-hmac-nt -pass <password> -ptype KRB5_NT_SRV_HST -out c:\

In the above command replace with the original password. After command execution is completed, you will find the keytab file at c:\ location on the windows system.

ktpass syntax

[/out <FileName>]   
[/princ <PrincipalName>]   
[/mapuser <UserAccount>]   
[/mapop {add|set}] [{-|+}desonly] [/in <FileName>]  
[/pass {Password|*|{-|+}rndpass}]  
[/crypto {DES-CBC-CRC|DES-CBC-MD5|RC4-HMAC-NT|AES256-SHA1|AES128-SHA1|All}]  
[/kvno <KeyversionNum>]  
[/answer {-|+}]  
[/rawsalt] [{-|+}dumpsalt] [{-|+}setupn] [{-|+}setpass <Password>]  [/?|/h|/help]  

Once the keytab file has been created, transfer the file to the server is requiring that.


Click here to visit Microsoft site for more details on service principal or keytab.


About the Author: TekFik

TekFik is a technical blogging site helps techies and engineers to solve their day to day issues and also allows everyone to share knowledge and feedback. Please feel free to contact us at if there is anything.

Leave a Reply

Your email address will not be published. Required fields are marked *