Server Configuration > Post Install Server Security > Special Considerations for Kerberos and Kerberos Single Sign On > Specifying Keytab for Kerberos SSO
 
Specifying Keytab for Kerberos SSO
If you are using the Kerberos SSO authentication domain (Windows SSO security policy), the Integrity Lifecycle Manager server needs to be able to access secret key information in order to authenticate service tickets received from the client. The Integrity Lifecycle Manager server can derive its secret key from a keytab file that is specified in the following properties in the security.properties file.
mks.security.SPN
mks.security.keyTabFile
mks.security.clientServiceName
mks.security.allowClientRegistryEdit
To support multiple domains, these properties must be repeated for each child domain, for example:
mks.security.SPN=integrityServer/parent
mks.security.keyTabFile=parent.keytab
mks.security.clientServiceName=parent
mks.security.SPN.1=integrityServer/child1
mks.security.keyTabFile.1=child1.keytab
mks.security.clientServiceName.1=child1
mks.security.SPN.2=integrityServer/child2
mks.security.keyTabFile.2=child2.keytab
mks.security.clientServiceName.2=child2
* 
Only multiple domains within a single forest are supported. Multiple forests are not supported.
* 
Do not supply the domain for mks.security.SPN. The domain is appended by the server during authentication. For example, mks.security.SPN=integrityServer/parent, not mks.security.SPN=integrityServer/parent.ABCDOMAIN.COM.
The root or main domain for the forest should be specified in the default settings. The children should be specified in the other settings, for example:
mks.security.SPN=integrityServer/parent
mks.security.keyTabFile=parent.keytab
mks.security.clientServiceName=parentISUser
mks.security.SPN.1=integrityServer/child1
mks.security.keyTabFile.1=child1.keytab
mks.security.clientServiceName.1=child1ISUser
mks.security.SPN.2=integrityServer/child2
mks.security.keyTabFile.2=child2.keytab
mks.security.clientServiceName.2=child2ISUser
To create a keytab file