This is a discussion on Re: Creating an MIT style keytab for an existing Windows AD membercomputer - Kerberos ; On Wed, Jul 23, 2008 at 3:59 AM, Edward Irvine wrote: > Hi, > > I'd like to find out if there is any way to extract a HOST keytab for > a windows computer that is already a member ...
On Wed, Jul 23, 2008 at 3:59 AM, Edward Irvine
> I'd like to find out if there is any way to extract a HOST keytab for
> a windows computer that is already a member of an active directory
> A Java developer I look after wants to do the single sign on thing to
> his web application. Our environment is a mixed Active Directory and
> Solaris environment.
> By creating a new user in active directory, and mapping the user to a
> service principle using ktpass.exe, we now have SPNEGO single sign on
> working between the clients Internet Explorer and the JBoss server on
> *Solaris*. So far so good.
> The developer, who uses a Windows workstation that is part the Active
> Directory domain, now wants the SPNEGO authentication to work in his
> own windows workstation - and for that to work I need to get the
> keytab for the host/pingname.of.host@KERBEROS.REALM.NAME
> A quick LDAP lookup of his workstation in AD reveals that it already
> has a servicePrincipalName of HOST/pingname.of.host - so presumably I
> can extract the keytab somehow. But how?
> I don't personally have admin access to the AD domain, but I work
> with the folks who do.
Extracting the keys from AD is not possible .
However, the ktpass utility from MS can set the password, generate the
corresponding key separately and put it into a keytab file.
Note that you must have at least account operator privilege to set a
password in AD.
 There is a freeware utility called ktexport that can extract the
keys from a DC and dump them into a keytab but it is only (sometimes)
useful for debugging purposes with WireShark. The resulting keytab is
not valid for use with any kind of service.
Michael B Allen
PHP Active Directory SPNEGO SSO