Creating a keytab with ktpass under a Computer account - Kerberos

This is a discussion on Creating a keytab with ktpass under a Computer account - Kerberos ; As I have seen in the past people asking about how to create a keytab with a Computer account I put some details together: 1) The ktpass version I used is from Windows2003 R2 File Version: 5.2.3790.1830 (srv03_sp1_rtm.050324-1447) 2) I ...

+ Reply to Thread
Results 1 to 9 of 9

Thread: Creating a keytab with ktpass under a Computer account

  1. Creating a keytab with ktpass under a Computer account

    As I have seen in the past people asking about how to create a keytab with a
    Computer account I put some details together:

    1) The ktpass version I used is from Windows2003 R2 File Version:
    5.2.3790.1830 (srv03_sp1_rtm.050324-1447)

    2) I only create RC4 keytabs as now MIT and Heimdal support it.

    3) Firstly I create a Computer Account e.g. testPRINCIPAL in AD with the
    User and Computer tool.

    4) Secondly I run ktpass /out testPrincipal.keytab /mapuser
    testPRINCIPAL$@WINDOWS2003.HOME /princ TESTSPN/FQDN@WINDOWS2003.HOME /crypto
    RC4-HMAC-NT /rndpass /ptype KRB5_NT_PRINCIPAL
    Targeting domain controller: w2k3.windows2003.home
    Using legacy password setting method
    Successfully mapped TESTSPN/FQDN to TESTPRINCIPAL$.
    WARNING: Account TESTPRINCIPAL$ is not a user account (uacflags=0x1021).
    WARNING: Resetting TESTPRINCIPAL$'s password may cause authentication
    problems if TESTPRINCIPAL$ is being used as a server.

    Reset TESTPRINCIPAL$'s password [y/n]? y
    WARNING: pType and account type do not match. This might cause problems.
    Key created.
    Output keytab to testPrincipal.keytab:
    Keytab version: 0x502
    keysize 64 TESTSPN/FQDN@WINDOWS2003.HOME ptype 1 (KRB5_NT_PRINCIPAL) vno 3
    etype 0x17 (RC4-HMAC) keylength 16 (0xd0fc81746c2bed1da5d505b491634ce5)

    4) I tested the keytab with kfw 3.0
    c:\Program Files\MIT\Kerberos\bin\kinit.exe -kt testPrincipal.keytab
    TESTSPN/FQDN@WINDOWS2003.HOME
    c:\Program Files\MIT\Kerberos\bin\klist.exe -e
    Ticket cache: API:krb5cc
    Default principal: TESTSPN/FQDN@WINDOWS2003.HOME

    Valid starting Expires Service principal
    05/06/06 15:22:05 05/07/06 01:22:05
    krbtgt/WINDOWS2003.HOME@WINDOWS2003.HOME
    Etype (skey, tkt): ArcFour with HMAC/md5, ArcFour with HMAC/md5


    5) Remark: If ptype is KRB5_NT_SRV_HOST the principal name has to have a
    dot in the fqdn !!!!

    ktpass /out testComputer.keytab /mapuser testCOMPUTER$@WINDOWS2003.HOME
    /princ TESTSPN/FQDN@WINDOWS2003.HOME /crypto RC4-HMAC-NT /rndpass /ptype
    KRB5_NT_SRV_HST
    Targeting domain controller: w2k3.windows2003.home
    Using legacy password setting method
    Successfully mapped TESTSPN/FQDN to TESTCOMPUTER$.
    WARNING: Account TESTCOMPUTER$ is not a user account (uacflags=0x1021).
    WARNING: Resetting TESTCOMPUTER$'s password may cause authentication
    problems if
    TESTCOMPUTER$ is being used as a server.

    Reset TESTCOMPUTER$'s password [y/n]? y
    Invalid SPN.
    Failed to create key for keytab. Quitting.

    Now with a dot

    ktpass /out testComputer.keytab /mapuser testCOMPUTER$@WINDOWS2003.HOME
    /princ TESTSPN/FQDN.COM@WINDOWS2003.HOME /crypto RC4-HMAC-NT /rndpass /ptype
    KRB5_NT_SRV_HST
    Targeting domain controller: w2k3.windows2003.home
    Using legacy password setting method
    Successfully mapped TESTSPN/FQDN.COM to TESTCOMPUTER$.
    WARNING: Account TESTCOMPUTER$ is not a user account (uacflags=0x1021).
    WARNING: Resetting TESTCOMPUTER$'s password may cause authentication
    problems if
    TESTCOMPUTER$ is being used as a server.

    Reset TESTCOMPUTER$'s password [y/n]? y
    Key created.
    Output keytab to testComputer.keytab:
    Keytab version: 0x502
    keysize 68 TESTSPN/FQDN.COM@WINDOWS2003.HOME ptype 3 (KRB5_NT_SRV_HST) vno
    14 etype 0x17 (RC4-HMAC) keylength 16 (0xd0fc81746c2bed1da5d505b491634ce5)

    c:\Program Files\MIT\Kerberos\bin\kinit.exe -kt testComputer.keytab
    TESTSPN/FQDN.COM@WINDOWS2003.HOME
    c:\Program Files\MIT\Kerberos\bin\klist.exe -e
    Ticket cache: API:krb5cc
    Default principal: TESTSPN/FQDN.COM@WINDOWS2003.HOME

    Valid starting Expires Service principal
    05/06/06 15:31:32 05/07/06 01:31:32
    krbtgt/WINDOWS2003.HOME@WINDOWS2003.HOME
    Etype (skey, tkt): ArcFour with HMAC/md5, ArcFour with HMAC/md5


    Regards
    Markus



  2. Re: Creating a keytab with ktpass under a Computer account

    On Sat, 6 May 2006 16:02:50 +0100
    "Markus Moeller" wrote:

    > As I have seen in the past people asking about how to create a keytab with a
    > Computer account I put some details together:
    >
    > 1) The ktpass version I used is from Windows2003 R2 File Version:
    > 5.2.3790.1830 (srv03_sp1_rtm.050324-1447)


    Excellent. I was wondering how to do this. Apparently my Support Tools
    package was out of date though - I had to grab the latest to get /crypto
    to support anything but des-cbc-md5.

    Thanks,
    Mike
    ________________________________________________
    Kerberos mailing list Kerberos@mit.edu
    https://mailman.mit.edu/mailman/listinfo/kerberos


  3. Re: Why creating a keytab with a DES key does not work with ktpass under a Computer account

    In addition to my previous mail

    > As I have seen in the past people asking about how to create a keytab with
    > a Computer account I put some details together:
    >
    > 1) The ktpass version I used is from Windows2003 R2 File Version:
    > 5.2.3790.1830 (srv03_sp1_rtm.050324-1447)
    >
    > 2) I only create RC4 keytabs as now MIT and Heimdal support it.


    The other reason to use only RC4 is that ktpass has a bug when used with
    Computer accounts on Windows 2003 SP1. ktpass uses the wrong Salt, which has
    been corrected in tools like msktutil). A ktpass with DES on a User acount
    looks like:

    ktpass /crypto des-cbc-crc /desonly /ptype KRB5_NT_PRINCIPAL /rndpass /out
    DESUSER.keytab /princ TESTUSERSPN/DES@WINDOWS2003.HOME /mapuser
    testUser@WINDOWS2003.HOME
    Targeting domain controller: w2k3.windows2003.home
    Using legacy password setting method
    Successfully mapped TESTUSERSPN/DES to testUser.
    Key created.
    Output keytab to DESUSER.keytab:
    Keytab version: 0x502
    keysize 59 TESTUSERSPN/DES@WINDOWS2003.HOME ptype 1 (KRB5_NT_PRINCIPAL) vno
    3 et
    ype 0x1 (DES-CBC-CRC) keylength 8 (0xd925940d9be5c4ec)
    Account testUser has been set for DES-only encryption.

    And a kinit -kt DESUSER.keytab TESTUSERSPN/DES@WINDOWS2003.HOME gives the
    following AS-REQ/AS-REP

    No. Time Source Destination Protocol
    Info
    1 0.000000 opensuse.suse.home w2k3.windows2003.home KRB5
    AS-REQ

    Frame 1 (227 bytes on wire, 227 bytes captured)
    Linux cooked capture
    Internet Protocol, Src: opensuse.suse.home (192.168.1.7), Dst:
    w2k3.windows2003.home (192.168.1.5)
    User Datagram Protocol, Src Port: 32788 (32788), Dst Port: kerberos (88)
    Kerberos AS-REQ
    Pvno: 5
    MSG Type: AS-REQ (10)
    KDC_REQ_BODY

    No. Time Source Destination Protocol
    Info
    2 0.019198 w2k3.windows2003.home opensuse.suse.home KRB5 KRB
    Error: KRB5KDC_ERR_PREAUTH_REQUIRED



    Frame 2 (273 bytes on wire, 273 bytes captured)
    Linux cooked capture
    Internet Protocol, Src: w2k3.windows2003.home (192.168.1.5), Dst:
    opensuse.suse.home (192.168.1.7)
    User Datagram Protocol, Src Port: kerberos (88), Dst Port: 32788 (32788)
    Kerberos KRB-ERROR
    Pvno: 5
    MSG Type: KRB-ERROR (30)
    stime: 2006-05-07 14:09:01 (Z)
    susec: 390398
    error_code: KRB5KDC_ERR_PREAUTH_REQUIRED (25)
    Realm: WINDOWS2003.HOME
    Server Name (Unknown): krbtgt/WINDOWS2003.HOME
    e-data
    padata: PA-ENCTYPE-INFO PA-ENC-TIMESTAMP PA-PK-AS-REP
    Type: PA-ENCTYPE-INFO (11)
    Value: 30523027A003020103A120041E57494E444F575332303033.. .
    des-cbc-md5 des-cbc-crc
    Encryption type: des-cbc-md5 (3)
    Salt:
    57494E444F5753323030332E484F4D455445535455534552.. .
    Encryption type: des-cbc-crc (1)
    Salt:
    57494E444F5753323030332E484F4D455445535455534552.. .
    Type: PA-ENC-TIMESTAMP (2)
    Value:
    Type: PA-PK-AS-REP (15)
    Value:

    No. Time Source Destination Protocol
    Info
    3 0.039415 opensuse.suse.home w2k3.windows2003.home KRB5
    AS-REQ


    Frame 3 (293 bytes on wire, 293 bytes captured)
    Linux cooked capture
    Internet Protocol, Src: opensuse.suse.home (192.168.1.7), Dst:
    w2k3.windows2003.home (192.168.1.5)
    User Datagram Protocol, Src Port: 32788 (32788), Dst Port: kerberos (88)
    Kerberos AS-REQ
    Pvno: 5
    MSG Type: AS-REQ (10)
    padata: PA-ENC-TIMESTAMP
    Type: PA-ENC-TIMESTAMP (2)
    Value: 3031A003020101A22A0428800FD47DB57CC5D12C0241DF59.. .
    des-cbc-crc
    Encryption type: des-cbc-crc (1)
    enc PA_ENC_TIMESTAMP:
    800FD47DB57CC5D12C0241DF592D88C7DA11BBBC89241B2A.. .
    KDC_REQ_BODY

    No. Time Source Destination Protocol
    Info
    4 0.047715 w2k3.windows2003.home opensuse.suse.home KRB5
    AS-REP

    Frame 4 (1389 bytes on wire, 1389 bytes captured)
    Linux cooked capture
    Internet Protocol, Src: w2k3.windows2003.home (192.168.1.5), Dst:
    opensuse.suse.home (192.168.1.7)
    User Datagram Protocol, Src Port: kerberos (88), Dst Port: 32788 (32788)
    Kerberos AS-REP
    Pvno: 5
    MSG Type: AS-REP (11)
    padata: PA-PW-SALT
    Type: PA-PW-SALT (3)
    Value: 57494E444F5753323030332E484F4D455445535455534552.. .
    Client Realm: WINDOWS2003.HOME
    Client Name (Principal): TESTUSERSPN/DES
    Ticket
    enc-part des-cbc-crc


    which uses a Salt of: 57 49 4e 44 4f 57 53 32 30 30 33 2e 48 4f 4d 45 54 45
    53 54 55 53 45 52 53 50 4e 44 45 53 =
    WINDOWS2003.HOMETESTUSERSPNDES


    The Salt stored in the keytab is the correct value:

    hexdump -C DESUSER.keytab
    00000000 05 02 00 00 00 3b 00 02 00 10 57 49 4e 44 4f 57
    |.....;....WINDOW|
    00000010 53 32 30 30 33 2e 48 4f 4d 45 00 0b 54 45 53 54
    |S2003.HOME..TEST|
    00000020 55 53 45 52 53 50 4e 00 03 44 45 53 00 00 00 01
    |USERSPN..DES....|
    00000030 00 00 00 00 03 00 01 00 08 d9 25 94 0d 9b e5 c4
    |..........%.....|
    00000040 ec |.|
    00000041

  4. Re: Creating a keytab with ktpass under a Computer account


    Markus Moeller wrote:
    > As I have seen in the past people asking about how to create a keytab with a
    > Computer account I put some details together:
    >
    > 4) Secondly I run ktpass /out testPrincipal.keytab /mapuser
    > testPRINCIPAL$@WINDOWS2003.HOME /princ TESTSPN/FQDN@WINDOWS2003.HOME /crypto
    > RC4-HMAC-NT /rndpass /ptype KRB5_NT_PRINCIPAL


    > 4) I tested the keytab with kfw 3.0
    > c:\Program Files\MIT\Kerberos\bin\kinit.exe -kt testPrincipal.keytab
    > TESTSPN/FQDN@WINDOWS2003.HOME
    > c:\Program Files\MIT\Kerberos\bin\klist.exe -e



    First thank you for this post. It was a big help in getting me as far
    as I am. However, for some reason I am unable to get this final step
    to work. I created it with a computer account as you indicated, and
    was able to successfully create ktpass files. I then copy them over to
    the appropriate server and I can klist the keytab:

    # klist -Kek
    Keytab name: FILE:/etc/krb5.keytab
    KVNO Principal
    ----
    --------------------------------------------------------------------------
    7 host/testsrv.corp.dc@CORP.DC (ArcFour with HMAC/md5)
    (0x68df3e78ac80ad80417213d837e2f17b)

    I then try the kinit command you used:

    # kinit -kt /etc/krb5.conf host/testsrv.corp.dc@CORP.DC
    kinit(v5): Client not found in Kerberos database while getting initial
    credentials

    The local box hostname matches this output, as does the reverse lookup.
    /etc/hosts has:
    127.0.0.1 localhost.localdomain localhost
    10.0.0.30 testsrv.corp.dc testsrv

    In addition I have tried using ssh, with GSSAPI configured:
    debug1: Authentications that can continue:
    publickey,gssapi-with-mic,password
    debug1: Next authentication method: gssapi-with-mic
    debug1: Delegating credentials
    debug1: Miscellaneous failure
    Server not found in Kerberos database

    debug1: Trying to start again

    [on the server]
    Postponed gssapi-with-mic for testuser from ::ffff:10.0.0.100 port
    57857 ssh2
    debug1: userauth-request for user testuser service ssh-connection
    method gssapi-with-mic
    debug1: attempt 2 failures 1
    Failed gssapi-with-mic for testuser from ::ffff:10.0.0.100 port 57857
    ssh2

    I have tried using both KRB5_NT_PRINCIPAL and KRB5_NT_SRV_HST, to no
    avail. I also tried switching to using user accounts instead of
    computer accounts, but that doesn't work either.

    The server I'm working with can talk to the KDC. I have successfully
    obtained a TGT locally via kinit for my user account. If anyone has
    some suggestions, I would greatly appreciate it.


  5. Re: Creating a keytab with ktpass under a Computer account

    You can check with adsiedit.msc if the entry exists by selecting the Domain
    tree, right click and select New -> Query. Give the query a name, select a
    root, select subtree and type a query like
    serviceprincipalname=host/testsrv.corp.dc* . This should show you one and
    only one entry corresponding to your computer account. If this is OK check
    your Kerberos configuration on the Unix machine. DO you have a realm domain
    mapping or do you use DNS records ?

    BTW Did you use the same ktpass version ?
    Regards
    Markus


    wrote in message
    news:1148505472.389354.288930@j33g2000cwa.googlegr oups.com...
    >
    > Markus Moeller wrote:
    >> As I have seen in the past people asking about how to create a keytab
    >> with a
    >> Computer account I put some details together:
    >>
    >> 4) Secondly I run ktpass /out testPrincipal.keytab /mapuser
    >> testPRINCIPAL$@WINDOWS2003.HOME /princ TESTSPN/FQDN@WINDOWS2003.HOME
    >> /crypto
    >> RC4-HMAC-NT /rndpass /ptype KRB5_NT_PRINCIPAL

    >
    >> 4) I tested the keytab with kfw 3.0
    >> c:\Program Files\MIT\Kerberos\bin\kinit.exe -kt testPrincipal.keytab
    >> TESTSPN/FQDN@WINDOWS2003.HOME
    >> c:\Program Files\MIT\Kerberos\bin\klist.exe -e

    >
    >
    > First thank you for this post. It was a big help in getting me as far
    > as I am. However, for some reason I am unable to get this final step
    > to work. I created it with a computer account as you indicated, and
    > was able to successfully create ktpass files. I then copy them over to
    > the appropriate server and I can klist the keytab:
    >
    > # klist -Kek
    > Keytab name: FILE:/etc/krb5.keytab
    > KVNO Principal
    > ----
    > --------------------------------------------------------------------------
    > 7 host/testsrv.corp.dc@CORP.DC (ArcFour with HMAC/md5)
    > (0x68df3e78ac80ad80417213d837e2f17b)
    >
    > I then try the kinit command you used:
    >
    > # kinit -kt /etc/krb5.conf host/testsrv.corp.dc@CORP.DC
    > kinit(v5): Client not found in Kerberos database while getting initial
    > credentials
    >
    > The local box hostname matches this output, as does the reverse lookup.
    > /etc/hosts has:
    > 127.0.0.1 localhost.localdomain localhost
    > 10.0.0.30 testsrv.corp.dc testsrv
    >
    > In addition I have tried using ssh, with GSSAPI configured:
    > debug1: Authentications that can continue:
    > publickey,gssapi-with-mic,password
    > debug1: Next authentication method: gssapi-with-mic
    > debug1: Delegating credentials
    > debug1: Miscellaneous failure
    > Server not found in Kerberos database
    >
    > debug1: Trying to start again
    >
    > [on the server]
    > Postponed gssapi-with-mic for testuser from ::ffff:10.0.0.100 port
    > 57857 ssh2
    > debug1: userauth-request for user testuser service ssh-connection
    > method gssapi-with-mic
    > debug1: attempt 2 failures 1
    > Failed gssapi-with-mic for testuser from ::ffff:10.0.0.100 port 57857
    > ssh2
    >
    > I have tried using both KRB5_NT_PRINCIPAL and KRB5_NT_SRV_HST, to no
    > avail. I also tried switching to using user accounts instead of
    > computer accounts, but that doesn't work either.
    >
    > The server I'm working with can talk to the KDC. I have successfully
    > obtained a TGT locally via kinit for my user account. If anyone has
    > some suggestions, I would greatly appreciate it.
    >




  6. Re: Creating a keytab with ktpass under a Computer account

    Markus Moeller wrote:
    > You can check with adsiedit.msc if the entry exists by selecting the Domain
    > tree, right click and select New -> Query. Give the query a name, select a
    > root, select subtree and type a query like
    > serviceprincipalname=host/testsrv.corp.dc* . This should show you one and
    > only one entry corresponding to your computer account. If this is OK check


    No, this gives no results. Even if I specify the OU that it is in.
    However, if I go to the object in ADSI edit and view its properties, I
    can find servicePrincipleName and it has the right information.

    > your Kerberos configuration on the Unix machine. DO you have a realm domain
    > mapping or do you use DNS records ?


    I have tried both.

    > BTW Did you use the same ktpass version ?


    5.2.3790.1830


  7. Re: Creating a keytab with ktpass under a Computer account

    > No, this gives no results. Even if I specify the OU that it is in.
    > However, if I go to the object in ADSI edit and view its properties, I
    > can find servicePrincipleName and it has the right information.


    never mind. I'm a moron. I insist on spelling it Principle, not
    Principal, so of course I'm not finding it.

    I redid the search with the right spelling and came up with exactly one
    match for host/testsrv.corp.dc.


  8. Re: Creating a keytab with ktpass under a Computer account

    Can you provide a tcpdump or snoop of traffic on port 88 and 53 to analyse
    in Ethereal ?

    Regards
    Markus

    "Shamgar" wrote in message
    news:1148651221.376969.242680@g10g2000cwb.googlegr oups.com...
    >> No, this gives no results. Even if I specify the OU that it is in.
    >> However, if I go to the object in ADSI edit and view its properties, I
    >> can find servicePrincipleName and it has the right information.

    >
    > never mind. I'm a moron. I insist on spelling it Principle, not
    > Principal, so of course I'm not finding it.
    >
    > I redid the search with the right spelling and came up with exactly one
    > match for host/testsrv.corp.dc.
    >




  9. Re: Creating a keytab with ktpass under a Computer account

    Even I can ran into this problem and some how i could make it work with
    ktpass version 5.2.3790.131 (with out rc4-hmac-nt).

    Where as newer sp1-ktpass worked with USER accounts. When I wanted to
    convert from user accounts to computer accounts, i ran into all kinds
    of problems.

    The tool i used to diagnose is css_adkadmin and also keytabs from this
    tools worked for me even with rc4-hamc. Binary version of this is also
    available. I hope we get one nice robust KTPASS which works as its
    supposed from Microsoft and provide more meaningful error messages.

    Mean while I just ran into following doc.
    http://support.microsoft.com/default...;en-us;q175468

    Article ID : 175468 : Effects of machine account replication on a
    domain

    I am not sure how "Domain Member: Disable machine account password
    changes & Domain Controller: Refuse machine account password changes"
    parameters effects my keytab. And for some reason if this happens, do i
    need to regerate keytab again? hope some make me clear on this.

    May be we need nice little check list, what needs to be looked at:

    1. we need to check:

    userPrincipalName: host/hp.abc.net@ABC.NET
    servicePrincipalName: host/hp.abc.net

    2. msDS-KeyVersionNumber == KVNO should be same

    3. sAMAccountName: hp$

    3. userAccountCtrl =

    http://msdn.microsoft.com/library/de..._flag_enum.asp

    thanks



    Markus Moeller wrote:
    > Can you provide a tcpdump or snoop of traffic on port 88 and 53 to analyse
    > in Ethereal ?
    >
    > Regards
    > Markus
    >
    > "Shamgar" wrote in message
    > news:1148651221.376969.242680@g10g2000cwb.googlegr oups.com...
    > >> No, this gives no results. Even if I specify the OU that it is in.
    > >> However, if I go to the object in ADSI edit and view its properties, I
    > >> can find servicePrincipleName and it has the right information.

    > >
    > > never mind. I'm a moron. I insist on spelling it Principle, not
    > > Principal, so of course I'm not finding it.
    > >
    > > I redid the search with the right spelling and came up with exactly one
    > > match for host/testsrv.corp.dc.
    > >



+ Reply to Thread