Create the user account in AD using the Active Directory Users and Computers Snap-in, and set the password. Do NOT select “User must change password at next logon” (remember the password). The account does NOT need to be a FQDN (fully qualified domain name)—just the host name. For example, if a JACE’s FQDN is myJace.example.com, the account name should simply be “myJace”.

Create the SPNs associated with this account on the KDC:

setspn—A host/mysrvr.example.com mysrvr

setspn—A HTTP/mysrvr.example.com mysrvr

Use upper-case “HTTP” to match the way Internet Explorer builds SPNs. Alternatively, you can run ktpass (as shown below) to create the SPNs. When using the “-princ” option of ktpass, you are specifying the Kerberos principal that is to be registered in the realm; the “-mapuser” option should be the account created in step 1 (above). Whether or not you run setspn, ktpass must be run to generate the necessary keytab files.

Create and export the keytabs:

ktpass -princ host/mysrvr.example.com@EXAMPLE.COM -pass <password> -mapuser mysrvr -out c:\temp\mysrvr.host.keytab

ktpass -princ HTTP/mysrvr.example.com@EXAMPLE.COM -pass <password> -mapuser mysrvr -out c:\temp\mysrvr.HTTP.keytab