Creating a keytab with ktpass under a Computer account

Markus Moeller huaraz at moeller.plus.com
Sat May 6 11:02:50 EDT 2006 

As I have seen in the past people asking about how to create a keytab with a 
Computer account I put some details together:

1) The ktpass version I used is from Windows2003 R2 File Version: 
5.2.3790.1830 (srv03_sp1_rtm.050324-1447)

2) I only create RC4 keytabs as now MIT and Heimdal support it.

3) Firstly I create a Computer Account  e.g. testPRINCIPAL in AD with the 
User and Computer tool.

4) Secondly I run ktpass /out testPrincipal.keytab /mapuser 
testPRINCIPAL$@WINDOWS2003.HOME /princ TESTSPN/FQDN at WINDOWS2003.HOME /crypto 
RC4-HMAC-NT /rndpass /ptype KRB5_NT_PRINCIPAL
Targeting domain controller: w2k3.windows2003.home
Using legacy password setting method
Successfully mapped TESTSPN/FQDN to TESTPRINCIPAL$.
WARNING: Account TESTPRINCIPAL$ is not a user account (uacflags=0x1021).
WARNING: Resetting TESTPRINCIPAL$'s password may cause authentication 
problems if TESTPRINCIPAL$ is being used as a server.

Reset TESTPRINCIPAL$'s password [y/n]?  y
WARNING: pType and account type do not match. This might cause  problems.
Key created.
Output keytab to testPrincipal.keytab:
Keytab version: 0x502
keysize 64 TESTSPN/FQDN at WINDOWS2003.HOME ptype 1 (KRB5_NT_PRINCIPAL) vno 3 
etype 0x17 (RC4-HMAC) keylength 16 (0xd0fc81746c2bed1da5d505b491634ce5)

4) I tested the keytab with kfw 3.0
   c:\Program Files\MIT\Kerberos\bin\kinit.exe -kt testPrincipal.keytab 
TESTSPN/FQDN at WINDOWS2003.HOME
   c:\Program Files\MIT\Kerberos\bin\klist.exe -e
Ticket cache: API:krb5cc
Default principal: TESTSPN/FQDN at WINDOWS2003.HOME

Valid starting     Expires            Service principal
05/06/06 15:22:05  05/07/06 01:22:05 
krbtgt/WINDOWS2003.HOME at WINDOWS2003.HOME
        Etype (skey, tkt): ArcFour with HMAC/md5, ArcFour with HMAC/md5


5) Remark:  If ptype is KRB5_NT_SRV_HOST the principal name has to have a 
dot in the fqdn !!!!

ktpass /out testComputer.keytab /mapuser testCOMPUTER$@WINDOWS2003.HOME 
/princ TESTSPN/FQDN at WINDOWS2003.HOME /crypto RC4-HMAC-NT /rndpass /ptype 
KRB5_NT_SRV_HST
Targeting domain controller: w2k3.windows2003.home
Using legacy password setting method
Successfully mapped TESTSPN/FQDN to TESTCOMPUTER$.
WARNING: Account TESTCOMPUTER$ is not a user account (uacflags=0x1021).
WARNING: Resetting TESTCOMPUTER$'s password may cause authentication 
problems if
 TESTCOMPUTER$ is being used as a server.

Reset TESTCOMPUTER$'s password [y/n]?  y
Invalid SPN.
Failed to create key for keytab.  Quitting.

Now with a dot

ktpass /out testComputer.keytab /mapuser testCOMPUTER$@WINDOWS2003.HOME 
/princ TESTSPN/FQDN.COM at WINDOWS2003.HOME /crypto RC4-HMAC-NT /rndpass /ptype 
KRB5_NT_SRV_HST
Targeting domain controller: w2k3.windows2003.home
Using legacy password setting method
Successfully mapped TESTSPN/FQDN.COM to TESTCOMPUTER$.
WARNING: Account TESTCOMPUTER$ is not a user account (uacflags=0x1021).
WARNING: Resetting TESTCOMPUTER$'s password may cause authentication 
problems if
 TESTCOMPUTER$ is being used as a server.

Reset TESTCOMPUTER$'s password [y/n]?  y
Key created.
Output keytab to testComputer.keytab:
Keytab version: 0x502
keysize 68 TESTSPN/FQDN.COM at WINDOWS2003.HOME ptype 3 (KRB5_NT_SRV_HST) vno 
14 etype 0x17 (RC4-HMAC) keylength 16 (0xd0fc81746c2bed1da5d505b491634ce5)

c:\Program Files\MIT\Kerberos\bin\kinit.exe -kt testComputer.keytab 
TESTSPN/FQDN.COM at WINDOWS2003.HOME
c:\Program Files\MIT\Kerberos\bin\klist.exe -e
Ticket cache: API:krb5cc
Default principal: TESTSPN/FQDN.COM at WINDOWS2003.HOME

Valid starting     Expires            Service principal
05/06/06 15:31:32  05/07/06 01:31:32 
krbtgt/WINDOWS2003.HOME at WINDOWS2003.HOME
        Etype (skey, tkt): ArcFour with HMAC/md5, ArcFour with HMAC/md5


Regards
Markus

More information about the Kerberos mailing list