Is it possible to generate the keytab on the application server itself ?
sandypossible@gmail.com
sandypossible at gmail.com
Fri Jan 27 09:55:23 EST 2006
Hi all,
I have some additional queries:
1) I understand that while creating the keytab file, the KDC creates
the key using the service principal and its password. This key is
extracted in the keytab file. Could you please let me know if this
extracted keytab contains only the password in encrypted form ? Does
the KDC uses any salt, realm name along with password during key
creation ?
2) Does KDC maintains a database of all the keytab entries when the
keytab file is created ? Or does it create the key when ever required
?
3) What is the requirement of keyversion number ? When the password is
changed and the new key is created why the kerberos cant use the new
key itself ? Is my understanding correct ? Could anybody please explain
?
4) Is it possible to create the keytab entry on the application server
itself ?
Thanks
Sandy.
sandypossible at gmail.com wrote:
> Hi all,
>
> I am working on implementing kerberos on an embedded device. I am
> aiming at using "windows server as KDC"
>
> I understand that the keytab file has to be generated on the windows
> KDC using ktpass and securely transferred to the application server.
> This means that the kerberos implementation on the applicatio server
> can decrypt the contents of the keytab file and use it appropriately
> during connecting with the client.
>
> I earlier queried and also got useful links about the tools available.
> Since I do not have LDAP client, I am looking in to different ways of
> getting the keytab file on to the device.
>
> As I said above, as the keytab contents can be decoded by the
> application server, is the below method is feasible and even possible ?
> If not possible, can anybody please explain why it is not possible ?
>
> --> I will add the the device name and password in the domain
> controller. Using the same principal name and password, is it possible
> to create the keytab file locally on the device rather than getting
> this from the the domain controller ? Will it work ?
>
> Thanks,
> Sandy.
More information about the Kerberos
mailing list