18-10 Oracle Fusion Middleware Administrators Guide for Oracle Directory Integration Platform must appear after the IP address and before the short name. The following is an example of a correct entry: 130.111.111.111 sso.MyCompany.com sso loghost 4. Perform the following tasks to create a user account and keytab file in Microsoft Active Directory that will be used by the logical Oracle Application Server Single Sign-On host: a. Log in to the Microsoft Active Directory Management tool on the Windows 2000 server, then choose Users, then New, then user. Enter the name of the OracleAS Single Sign-On Server host, omitting the domain name. For example, if the host name is sso.MyCompany.com, then enter sso. This is the account name in Microsoft Active Directory. Note the password that you assigned to the account. You will need it later. Do not select User must change password at next logon. b. Create a keytab file for the OracleAS Single Sign-On Server, and map the account name to the service principal name.You perform both tasks by running the following command on the Windows 2000 server:

C: Ktpass -princ HTTPsso.MyCompany.comMyCompany.com -pass password -mapuser sso -out sso.keytab

The -princ argument is the service principal. Specify the value for this argument by using the format HTTPsingle_sign-on_host_ name KERBEROS_REALM_NAME. Note that HTTP and the Kerberos realm must be uppercase. Note that single_sign-on_host_name can be either the OracleAS Single Sign-On Server host itself or the name of a load balancer where multiple OracleAS Single Sign-On Server middle tiers are deployed. MyCompany.com is a fictitious Kerberos realm in Microsoft Active Directory. The user container is located within this realm. The -pass argument is the account password, the -mapuser argument is the account name of the OracleAS Single Sign-On Server middle tier, and the -out argument is the output file that stores the service key. Be sure to replace the example values given with values suitable for your installation. These values appear in boldface in the example. 5. For each Oracle Application Server Single Sign-On host, copy or FTP the keytab file, sso.keytab to the OracleAS Single Sign-On Server middle tier, placing it in ORACLE_HOMEj2eeOC4J_SECURITYconfig. If you use FTP, be sure to transfer the file in binary mode. Note: ■ If the Ktpass is not found on your computer, then download the Windows Resource Kit from Microsoft to obtain the utility. ■ The default encryption type for Microsoft Kerberos tickets is RC4-HMAC. Microsoft also supports DES-CBC and DES-CBC-MD5, two DES variants used in MIT-compliant implementations. Ktpass converts the key type of the KDC account from RC4_HMAC to DES.