Views:

While following the steps in NTLM or Kerberos single sign-on for Internet Access | TrendAI™, the ktpass command fails to generate a valid keytab file, and the SPN does not match the host name of the selected on-premises gateway.

Cause:
Kerberos commands are case-sensitive. The error occurs when the casing in the keytab generation command does not follow the required convention:

  • The server FQDN based on your on-premises gateway (<auth proxy fqdn>) must be entered in all lowercase.
  • The Kerberos realm — your Active Directory domain (@<DOMAIN>) — must be entered in all uppercase.

If either value is entered with incorrect casing, the SPN will not match the host name of the selected on-premises gateway and the command fails.

Resolution:

Re-run the ktpass command, making sure the casing is correct:

Enter the on-premises gateway server FQDN (<auth proxy fqdn>) entirely in lowercase.
Enter the Kerberos realm / Active Directory domain (@<DOMAIN>) entirely in uppercase.

For example:
ktpass -princ HTTP/auth-proxy.example.com@EXAMPLE.COM -mapuser <user> -pass <password> -crypto AES256-SHA1 -ptype KRB5_NT_PRINCIPAL -out <filename>.keytab

In the example above, note that auth-proxy.example.com is lowercase while the realm EXAMPLE.COM is uppercase.

After correcting the casing, the keytab file should generate successfully and the SPN will match the host name of the selected on-premises gateway.

Keywords: The service principal name (SPN) must match the host name of the selected on-premises gateway — error when generating a keytab file using the ktpass command for NTLM v2 or Kerberos single sign-on