0

I have implemented kerberos Single Sign On authentication on one web application. In order to do that I generated a keytab file in the Active Directory for this specific app (ex: app1.domain.com).

If I want to implement SSO auth in another app in the same domain (ex: app2.domain.com) do I absolutely have to generate another keytab file?

Isn't it possible to have a single keytab file for every app in domain.com?

ee11131
  • 51
  • 1
  • 6
  • You can _merge_ the content of keytab files generated by your AD admin (using an AD command-line utility) with another cmd-line utility. But the real question is about **securing the file** i.e. restricting access privileges -- do your apps run under the same service account? on the same servers? Also, about maintenance -- what about password rotation, do they expire or not, at the same time or not? – Samson Scharfrichter Nov 08 '18 at 08:24
  • Remember that a keytab file is nothing more than a (list of) password(s). Any process that can read the keytab can "steal" the password(s) and impersonate the service account. – Samson Scharfrichter Nov 08 '18 at 08:27
  • Thank you Samson, so, based on your comments it is possible to have a single keytab file for every app in the domain but for security reasons it should be avoided. – ee11131 Nov 08 '18 at 12:29
  • Correct, you can use one keytab for every app in your domain. Copy it to everywhere it is needed. – T-Heron Nov 18 '18 at 01:17

0 Answers0