Win2k3 SP1 ktpass problem.

Pitrich, Karl karl.pitrich at fabasoft.com
Tue Sep 20 10:05:23 EDT 2005


Hi,

here's my (random) notes and how i do windows/MIT key exchange
successfully:


with recent versions of MIT Kerberos it is not neccessary to specify any
special enc-type as it supports MD4 (which is windows default now)
i'm also not specifying the ptype flag to ktpass.

the principal you specify at the ktpass commandline will be added and/or
overwritten in AD.

as username to ktpass, use the login name only from AD.

match the case of username and realm exactly.

with adsi-edit you can then verify the servicePrincipalName or
userPrincipalName that will be added after invoking ktpass.

using ktpass, the AD User will be automagically flagged as DES Only.


import the keys on linux and verify using:
  kinit –k –t /path/to/winkrb5.keytab <name>/<fqdn>@<REALM>
this should issue a ticket without entering a password.


i have encountered some troubles with the ticket serial number, to avoid
them, always change the password of the AD User prior exporting with
ktpass, this ensures a current ticket.

furthermore, ensure that the ktpass utility comes from a resource kit
from the same version as the windows OS itself AND also the same
locale.



HTH,

 / karl


On Fri, 2005-09-09 at 06:59, Srini wrote:
> Hi,
> 
> I have used the below command to extract the keytab. You can see that i
> have specified the enctype correctly. Please let me know whether i need
> to specify any other option to ktpass.
> 
> ktpass -mapuser user at xxx.com -princ test/host.xxx.com at XXX.COM +DesOnly
> -pass helloworld  -ptype KRB5_NT_PRINCIPAL -crypto DES-CBC-MD5 -out
> "c:\krb5.keytab"
> 
> I am using the user account and not the computer account.
> 
> Thanks,
> Srini
> 
> Jeffrey Altman wrote:
> > Are you specifying the correct kvno and are you extracting
> > the correct enctype?   2K3 SP1 supports the export of RC4-HMAC
> > keys and that might be the new default.
> >
> > Jeffrey Altman
> >
> >
> > Srinivas Cheruku wrote:
> > > Hi,
> > >
> > > I am using Win2k3 as my KDC.
> > >
> > > I was using the keytab extracted from Win2k3 ktpass
> > > and it was working fine with my GSS applications. I
> > > have upgraded to Win2k3 SP1 and now when i use ktpass
> > > of Win2k3 SP1 to extract the keytab and use it with my
> > > GSS application, i am getting error on the GSS server
> > > while accepting the context as "Decrypt integrity
> > > check failed".
> > >
> > > Can anyone encountered this problem with the keytab
> > > created with win2k3 sp1 ktpass?
> > > Can anyone help me to fix this issue?
> > >
> > > Thanks and Regards,
> > > Srini
> > >
> > >
> > >
> > >
> > > ______________________________________________________
> > > Click here to donate to the Hurricane Katrina relief effort.
> > > http://store.yahoo.com/redcross-donate3/
> > > ________________________________________________
> > > Kerberos mailing list           Kerberos at mit.edu
> > > https://mailman.mit.edu/mailman/listinfo/kerberos
> > >
> >
> > --
> > -----------------
> > This e-mail account is not read on a regular basis.
> > Please send private responses to jaltman at mit dot edu
> 
> ________________________________________________
> Kerberos mailing list           Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://mailman.mit.edu/pipermail/kerberos/attachments/20050920/f527972f/attachment.bin


More information about the Kerberos mailing list