To support Kerberos authentication with WSTEP enrollment, Certificate Enrollment Gateway requires a Kerberos keytab file. A keytab file contains pairs of Kerberos principals and encrypted keys derived from the Kerberos password. Certificate Enrollment Gateway will use the keytab file to authenticate to various remote systems using Kerberos without entering a password.

Log in to the Active Directory domain controller as a user with Domain Admin and Enterprise Admin permissions, and run the following command in PowerShell. 

See below for a description of each parameter. 

For example:

<keytab_path>

The full path and file name of the keytab file that the command will generate. For example:

You will transfer this keytab file to the server hosting Certificate Enrollment Gateway.

<user>

The Kerberos Service Account, using the following format:

Where:

• <logon> is the Windows logon name of the Kerberos Service Account, in lowercase letters. For example, kerberos.

• <domain> is the domain name of the Kerberos Service Account, in lowercase characters. For example, example.com.

For example:

<principal>

The principal name of the Kerberos Service Account. The principal must be in the form:

Where:

• <ceg-fqdn> is the fully qualified domain name of the server hosting Certificate Enrollment Gateway. For example, cegserver1.example.com.
• <DOMAIN> is the domain name of the Kerberos Service Account, in uppercase characters. For example, EXAMPLE.COM.

For example:

This parameter is case-sensitive.

<password>

The password of the Kerberos Service Account.

<algorithm>

The keys that are generated in the keytab file. Permitted values:

• DES-CBC-CRC
• DES-CBC-MD5
• RC4-HMAC-NT
• AES256-SHA1
• AES128-SHA1
• All