Kerberos Keytab: Manage the Kerberos Keytab

Users & Security > Kerberos Keytab

Kerberos Keytab Management

BeyondTrust supports single sign-on functionality using the Kerberos authentication protocol. This enables users to authenticate to the BeyondTrust Appliance without having to enter their credentials. Kerberos authentication applies both to the /login web interface and to the access console.

To integrate Kerberos with your BeyondTrust Appliance, you must have a Kerberos implementation either currently deployed or in the process of being deployed. Specific requirements are as follows:

  • You must have a working Key Distribution Center (KDC) in place.
  • Clocks must be synchronized across all clients, the KDC, and the BeyondTrust Appliance. Using a Network Time Protocol server (NTP) is an easy way to ensure this.
  • You must have a Service Principal Name (SPN) created on the KDC for your BeyondTrust Appliance.

Configured Principles

The Configured Principals section lists all of the available SPNs for each uploaded keytab.

Once you have available SPNs, you can configure a Kerberos security provider from the Security Providers page and define which user principals may authenticate to the BeyondTrust Appliance via Kerberos.

Import Keytab


Export the keytab for the SPN from your KDC and upload it to the BeyondTrust Appliance via the Import Keytab section of this page.

For more information, please see Two-Factor Authentication Setup Using a Time-Based, One-Time Password (TOTP).