Updated How do I create a keytab for an HDInsight ESP cluster

sreekzz · web-flow · commit 976cae322d1e · 2023-03-06T13:42:46.000+05:30
Updated How do I create a keytab for an HDInsight ESP cluster Ref PR https://github.com/Azure/azure-docs/pull/3 Ref-nicjohn79
diff --git a/articles/hdinsight/hdinsight-faq.yml b/articles/hdinsight/hdinsight-faq.yml
@@ -8,7 +8,7 @@ metadata:
   ms.service: hdinsight
   ms.custom: hdinsightactive,seoapr2020
   ms.topic: faq
-  ms.date: 07/19/2022
+  ms.date: 02/06/2023
 title: "Azure HDInsight: Frequently asked questions"
 summary: |
     This article provides answers to some of the most common questions about how to run [Azure HDInsight](https://azure.microsoft.com/services/hdinsight/).
@@ -180,13 +180,40 @@ sections:
           Create a Kerberos keytab for your domain username. You can later use this keytab to authenticate to remote domain-joined clusters without entering a password. The domain name is uppercase:
           
           ```shell
+
           ktutil
-          ktutil: addent -password -p <username>@<DOMAIN.COM> -k 1 -e RC4-HMAC
+          ktutil: addent -password -p <username>@<DOMAIN.COM> -k 1 -e aes256-cts-hmac-sha1-96
           Password for <username>@<DOMAIN.COM>: <password>
           ktutil: wkt <username>.keytab
           ktutil: q
           ```
           
+      - question: |
+          When is salting required for AES256 encryption when creating the keytab?
+        answer: |
+          If your TenantName & DomainName are different (example TenantName – bob@CONTOSO.ONMICROSOFT.COM & DomainName – bob@CONTOSOMicrosoft.ONMICROSOFT.COM), you need to add a SALT value using the -s option. 
+          
+      - question: |
+          How do I determine the proper SALT value?
+        answer: |
+          1. Use an interactive Kerberos login to determine the proper salt value for the keytab. Interactive Kerberos login will use the highest encryption by default. Tracing should be enabled to observe the salt. Below is a sample Kerberos login:
+          
+          ```shell
+          
+          $ KRB5_TRAACE=/dev/stdout kinit <username> -V
+          ```
+          2. Look through the output for the salt "......." line.
+          3. Use this salt value when creating the keytab.
+          
+          ```shell
+
+          ktutil
+          ktutil: addent -password -p <username>@<DOMAIN.COM> -k 1 -e aes256-cts-hmac-sha1-96 -s <SALTvalue>
+          Password for <username>@<DOMAIN.COM>: <password>
+          ktutil: wkt <username>.keytab
+          ktutil: q
+          ```
+ 
       - question: |
           Can I use an existing Azure Active Directory tenant to create an HDInsight cluster that has the ESP?
         answer: |
