Edward Irvine wrote:
> Hi,
> I'd like to find out if there is any way to extract a HOST keytab for
> a windows computer that is already a member of an active directory
> domain.

Do you have to be use the Windows "host" principal? Can your application
use a different principal, like HTTP or LDAP or make up your own.

Then your application server has its own keyfile, and does not need access
to the one use by Windows for login. There are security issues with letting
an application access this key. It could then impersonate any user to the

> A Java developer I look after wants to do the single sign on thing to
> his web application. Our environment is a mixed Active Directory and
> Solaris environment.
> By creating a new user in active directory, and mapping the user to a
> service principle using ktpass.exe, we now have SPNEGO single sign on
> working between the clients Internet Explorer and the JBoss server on
> *Solaris*. So far so good.

A common misunderstanding when reading the Microsoft docs Kerberos
and service principals has to do with the term "user".
The "user" account referred to with ktpass, is an ldap term for the
objectclass user. Kerberos service principals need a "user" account
in AD. This user account has nothing to do with real users who will
authenticate to the service.

> The developer, who uses a Windows workstation that is part the Active
> Directory domain, now wants the SPNEGO authentication to work in his
> own windows workstation - and for that to work I need to get the
> keytab for the host/pingname.of.host@KERBEROS.REALM.NAME
> A quick LDAP lookup of his workstation in AD reveals that it already
> has a servicePrincipalName of HOST/pingname.of.host - so presumably I
> can extract the keytab somehow. But how?

Not really. They also change the keys every so often, so you don't
want to copy it.

If your Java application needs to act as a server, and really use the
"host" service principal, can you use some Java to SSPI-service class?
(Don't know if one exists.) (GSSAPI and SSPI use the same protocols.)

> I don't personally have admin access to the AD domain, but I work
> with the folks who do.
> Eddie
> ________________________________________________
> Kerberos mailing list Kerberos@mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos


Douglas E. Engert
Argonne National Laboratory
9700 South Cass Avenue
Argonne, Illinois 60439
(630) 252-5444