Forum Discussion
There are actually two ways (that I know of) to aggregate multiple keys into a single keytab:
-
The first is with ktutil (you’ll need to copy the keytabs to a Linux box, merge, then copy back).
-
The second way, which I think is much easier, uses the “-in” option of the ktpass utility. Follow this link for additional information (under the section "Appending Additional Keytabs to Create the Final Master Keytab File"
http://fusionsecurity.blogspot.com/2013/02/part-2-how-to-configure-oam11g-wna-for.html
ktpass -princ HTTP/oam.server.com@FOREST2.PIXIE.COM / -mapuser oamkrb5 / -pass Oracle123 / -ptype KRB5_NT_PRINCIPAL / -crypto ALL / -in forest1.krb5.keytab / -out forest2.krb5.keytab ** where "-in forest1.krb5.keytab" is the keytab file that contains existing keytabs
I can't speak for win2003, but this method definitely works in Win2008R2.
Now, you can add the additional SPNs on the Domain Controllers using the MS tool "setspn" with the "-A" switch no problem against the same service account.
This would probably work if you were using a domain account with IIS. If www1 and www2 are separate hosts on the same domain and you added www as an SPN to each, then you'd have a duplicate SPN in the directory. Also, if www1 and www2 are behind separate VIPs, presumably because you're doing GSLB, you could also probably just create separate keytab files.