Mar 27, 2026 - For details about updated CVE-2025-53521 (BIG-IP APM vulnerability), refer to K000156741.

Forum Discussion

Wire's avatar
Wire
Sep 03, 2013

APM - How to create a keytab file with multiple SPNs

Hi,   I have run into a problem using Kerberos Authentication when using CNAMEs in DNS.   You can search the web but basically if you use a CNAME record like "www CNAME www1" and then A records...
BIG-IP Access Policy Manager (APM)
design
kerberos
security
Kevin_Stewart's avatar
Kevin_Stewart
Icon for Employee rankEmployee
Sep 03, 2013

There are actually two ways (that I know of) to aggregate multiple keys into a single keytab:

  1. The first is with ktutil (you’ll need to copy the keytabs to a Linux box, merge, then copy back).

  2. The second way, which I think is much easier, uses the “-in” option of the ktpass utility. Follow this link for additional information (under the section "Appending Additional Keytabs to Create the Final Master Keytab File"

    http://fusionsecurity.blogspot.com/2013/02/part-2-how-to-configure-oam11g-wna-for.html

     ktpass -princ HTTP/oam.server.com@FOREST2.PIXIE.COM /
-mapuser oamkrb5 /
-pass Oracle123 /
-ptype KRB5_NT_PRINCIPAL /
-crypto ALL /
-in forest1.krb5.keytab /
-out forest2.krb5.keytab

** where "-in forest1.krb5.keytab" is the keytab file that contains existing keytabs

I can't speak for win2003, but this method definitely works in Win2008R2.

Now, you can add the additional SPNs on the Domain Controllers using the MS tool "setspn" with the "-A" switch no problem against the same service account.

This would probably work if you were using a domain account with IIS. If www1 and www2 are separate hosts on the same domain and you added www as an SPN to each, then you'd have a duplicate SPN in the directory. Also, if www1 and www2 are behind separate VIPs, presumably because you're doing GSLB, you could also probably just create separate keytab files.