Kerberos Keytab: Manage the Kerberos Keytab

Users & Security > Kerberos Keytab

Kerberos Keytab Management

BeyondTrust supports single sign-on functionality using the Kerberos authentication protocol. This enables users to authenticate to the Secure Remote Access Appliance without having to enter their credentials. Kerberos authentication applies both to the /login web interface and to the representative console.

To integrate Kerberos with your Secure Remote Access Appliance, you must have a Kerberos implementation either currently deployed or in the process of being deployed. Specific requirements are as follows:

  • You must have a working Key Distribution Center (KDC) in place.
  • Clocks must be synchronized across all clients, the KDC, and the Secure Remote Access Appliance. Using a Network Time Protocol server (NTP) is an easy way to ensure this.
  • You must have a Service Principal Name (SPN) created on the KDC for your Secure Remote Access Appliance.

Configured Principles

The Configured Principals section lists all of the available SPNs for each uploaded keytab.

Once you have available SPNs, you can configure a Kerberos security provider from the Security Providers page and define which user principals may authenticate to the Secure Remote Access Appliance via Kerberos.

Import Keytab


Export the keytab for the SPN from your KDC and upload it to the Secure Remote Access Appliance via the Import Keytab section of this page.

For more information, please see Kerberos Server for Single Sign-On.