generating keytab problem

Douglas E. Engert deengert at
Thu Jun 10 21:00:38 EDT 2004

Akbar Lin wrote:
> Hi,
> I don't know whether this is the right place I should ask for help.
> I have a problem for generating the keytab file from Windows 2003 AD. This
> keytab will be used by Apache web server for the authentification (with
> mod_auth_kerb).
> I've done the same thing with Windows 2000 AD and it works perfectly.
> Is there any differences between Windows 2000 and 2003 AD for generating the
> keytab ?

You did not say how you did this as you could have used the ktpass command
to update AD and generate a keytab, or you could have used ktpass to
update AD, then used kt_util to add an entry to the keytab. 

But here are some possibilities:

2003 will use the key version number, kvno, and it may not be 1. 
(You can use the MIT kvno command to see what is set in AD.) 

2003 may use des-cbc-md5 where as 2000 used des-cbc-crc. 
(See the notes from Jeff and myself yesterday and today ... Oh that was on 
openafs-info at list.) 

So if you are converting from 2000 to 2003 ADs you may have to have
multiple entries in the keytab files. with the correct enctypes and kvnos
so the service can respond to a 2000 or 2003 generated ticket.  

> Any suggestions on how to solve this problem or where I can find more
> informations will be highly appreciated.
> Many thanks in advance.
> Akbar Lin
> ________________________________________________
> Kerberos mailing list           Kerberos at


 Douglas E. Engert  <DEEngert at>
 Argonne National Laboratory
 9700 South Cass Avenue
 Argonne, Illinois  60439 
 (630) 252-5444

More information about the Kerberos mailing list