Setting up a test Windows Server + Active Directory for Kerberos testing


  • My company wants me to set up a POC of a working Gitlab with Kerberos integration. They want me to set up a totally isolated test where I set up a test windows server with active directory domain, enable kerberos, then show how a user logged into the domain can automatically be authenticated with gitlab.

    Gitlab is hosted on a Windows Server 2016 instance.

    Users will be logged into their own workstations plugged into the domain.

    So I have created a Windows Server 2016 VM set up with Active Directory domain. Works fine.

    But now I'm stuck.

    I know I need these inputs

    Realm - for example:


    Service principal - for example:


    Keytab file - for example:


    Is there a simple set of steps I can perform to

    • Configure the Windows server instance / active directory to allow kerberos auth?
    • Generate the realm, service principal and keytab files?

    The docs I'm finding are all pretty "production" usage i'm just doing a single VM test.

    The best one I can find so far is but it's pretty hard to translate to the steps I'll actually need

    Thursday, November 02, 2017 9:39 PM

All replies

  • Hi,

    I am trying to involve someone familiar with this topic to further look at this query. There might be some time delay. Appreciate your patience.
    Thank you for your understanding and support.

    Best Regards,


    Please remember to mark the replies as answers if they help and unmark them if they provide no help.
    If you have feedback for TechNet Subscriber Support, contact

    Friday, November 03, 2017 1:52 AM
  • Configure the Windows server instance / active directory to allow kerberos auth?

    > Nothing. Things are working out of the box. Depending on the version of your domain controller, legacy encryption will be disabled though (3DES for Kerberos is disabled by default since Windows Server 2008 R2).

    Generate the realm, service principal and keytab files?

    > The realm is just the DNS name of your AD domain. The SPN is the SPN you want as long as the client can built a request for it. So in your example, it would be the SPN of a web service accessed by a client typing  (or https://) for example in IE or Edge. To create the Keytab file, you can use the builtin tool KTPASS. Info and examples here:

    Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.

    Friday, November 03, 2017 2:25 PM
  • Hi Pierre, I keep getting stuck by an error from our security library complaining that Defective token detected (Mechanism level: GSSHeader did not find the right tag)

    I am trying to decipher what "Defective token" means. Do you have any ideas for what i'm missing?

    Here is a full description of my issue:  

    Friday, November 10, 2017 4:43 PM