Windows 2003 KDC: Problem mit ktpass

youpski youpski at
Fri Sep 3 05:28:46 EDT 2004

DsCracknames usually means that either the account cannot be found.
Looking at your syntax you are trying to map a computer account. If
so, you need to add a dollar sign "$" for Windows. Here is an example
of a syntax that works:

KTPASS -princ host/ at W2K3.DOMAIN.INT -mapuser
UNIXHOST1$ -pass Password1234 +Answer -out -crypto
DES-CBC-MD5 -kvno 4 /Target

also look at the kvno. This is different in w2k3 as opposed to w2k. In
w2k the kvno was always 1. In w2k3 the key version number can be
different. Everytime you reset the password on the account in AD, the
kvno is raised by 1. So before you run KTPASS read out the current
kvno (using adsi or ldap). The atribute is "msDS-KeyVersionNumber".
Also, use MD5 instead of CRC. W2K3 default does not support CRC.


FrankSTaylor at (Frank Taylor) wrote in message news:<a6732995.0409020736.10dcf8bc at>...
> Jeremy mentioned the solution above: you need to specify the user's
> domain in the mapUser argument.
> The following is an entry from our knowledge base on this problem:
> ------------------------------------------------------------------
> Symptom
> When using ktpass.exe on a Windows Server 2003 domain controller to
> map a service principal, such as ktpass.exe -princ
> wts/ at DOMAIN.INT -mapuser wts.server, ktpass.exe
> returns the error message:
> DSCrackNames returned 0x2 in the name entry for wts.server
> Explanation
> 0x2 is the Windows NT hex code for 'not found'. ktpass has been unable
> to locate the user you specified.
> Causes
> ktpass needs more info
> You need to specify the user more fully, by prefacing the user name
> with the domain name:
>     ktpass.exe -princ wts/ at DOMAIN.INT -mapuser
> DOMAIN\wts.server
> where DOMAIN is the NetBIOS version of the AD domain.
> ------------------------------------------------------------------
> Thanks,
> Frank.

More information about the Kerberos mailing list