Why creating a keytab with a DES key does not work with ktpass under a Computer account
Markus Moeller
huaraz at moeller.plus.com
Sun May 7 18:04:11 EDT 2006
In addition to my previous mail
> As I have seen in the past people asking about how to create a keytab with
> a Computer account I put some details together:
>
> 1) The ktpass version I used is from Windows2003 R2 File Version:
> 5.2.3790.1830 (srv03_sp1_rtm.050324-1447)
>
> 2) I only create RC4 keytabs as now MIT and Heimdal support it.
The other reason to use only RC4 is that ktpass has a bug when used with
Computer accounts on Windows 2003 SP1. ktpass uses the wrong Salt, which has
been corrected in tools like msktutil). A ktpass with DES on a User acount
looks like:
ktpass /crypto des-cbc-crc /desonly /ptype KRB5_NT_PRINCIPAL /rndpass /out
DESUSER.keytab /princ TESTUSERSPN/DES at WINDOWS2003.HOME /mapuser
testUser at WINDOWS2003.HOME
Targeting domain controller: w2k3.windows2003.home
Using legacy password setting method
Successfully mapped TESTUSERSPN/DES to testUser.
Key created.
Output keytab to DESUSER.keytab:
Keytab version: 0x502
keysize 59 TESTUSERSPN/DES at WINDOWS2003.HOME ptype 1 (KRB5_NT_PRINCIPAL) vno
3 et
ype 0x1 (DES-CBC-CRC) keylength 8 (0xd925940d9be5c4ec)
Account testUser has been set for DES-only encryption.
And a kinit -kt DESUSER.keytab TESTUSERSPN/DES at WINDOWS2003.HOME gives the
following AS-REQ/AS-REP
No. Time Source Destination Protocol
Info
1 0.000000 opensuse.suse.home w2k3.windows2003.home KRB5
AS-REQ
Frame 1 (227 bytes on wire, 227 bytes captured)
Linux cooked capture
Internet Protocol, Src: opensuse.suse.home (192.168.1.7), Dst:
w2k3.windows2003.home (192.168.1.5)
User Datagram Protocol, Src Port: 32788 (32788), Dst Port: kerberos (88)
Kerberos AS-REQ
Pvno: 5
MSG Type: AS-REQ (10)
KDC_REQ_BODY
No. Time Source Destination Protocol
Info
2 0.019198 w2k3.windows2003.home opensuse.suse.home KRB5 KRB
Error: KRB5KDC_ERR_PREAUTH_REQUIRED
Frame 2 (273 bytes on wire, 273 bytes captured)
Linux cooked capture
Internet Protocol, Src: w2k3.windows2003.home (192.168.1.5), Dst:
opensuse.suse.home (192.168.1.7)
User Datagram Protocol, Src Port: kerberos (88), Dst Port: 32788 (32788)
Kerberos KRB-ERROR
Pvno: 5
MSG Type: KRB-ERROR (30)
stime: 2006-05-07 14:09:01 (Z)
susec: 390398
error_code: KRB5KDC_ERR_PREAUTH_REQUIRED (25)
Realm: WINDOWS2003.HOME
Server Name (Unknown): krbtgt/WINDOWS2003.HOME
e-data
padata: PA-ENCTYPE-INFO PA-ENC-TIMESTAMP PA-PK-AS-REP
Type: PA-ENCTYPE-INFO (11)
Value: 30523027A003020103A120041E57494E444F575332303033...
des-cbc-md5 des-cbc-crc
Encryption type: des-cbc-md5 (3)
Salt:
57494E444F5753323030332E484F4D455445535455534552...
Encryption type: des-cbc-crc (1)
Salt:
57494E444F5753323030332E484F4D455445535455534552...
Type: PA-ENC-TIMESTAMP (2)
Value: <MISSING>
Type: PA-PK-AS-REP (15)
Value: <MISSING>
No. Time Source Destination Protocol
Info
3 0.039415 opensuse.suse.home w2k3.windows2003.home KRB5
AS-REQ
Frame 3 (293 bytes on wire, 293 bytes captured)
Linux cooked capture
Internet Protocol, Src: opensuse.suse.home (192.168.1.7), Dst:
w2k3.windows2003.home (192.168.1.5)
User Datagram Protocol, Src Port: 32788 (32788), Dst Port: kerberos (88)
Kerberos AS-REQ
Pvno: 5
MSG Type: AS-REQ (10)
padata: PA-ENC-TIMESTAMP
Type: PA-ENC-TIMESTAMP (2)
Value: 3031A003020101A22A0428800FD47DB57CC5D12C0241DF59...
des-cbc-crc
Encryption type: des-cbc-crc (1)
enc PA_ENC_TIMESTAMP:
800FD47DB57CC5D12C0241DF592D88C7DA11BBBC89241B2A...
KDC_REQ_BODY
No. Time Source Destination Protocol
Info
4 0.047715 w2k3.windows2003.home opensuse.suse.home KRB5
AS-REP
Frame 4 (1389 bytes on wire, 1389 bytes captured)
Linux cooked capture
Internet Protocol, Src: w2k3.windows2003.home (192.168.1.5), Dst:
opensuse.suse.home (192.168.1.7)
User Datagram Protocol, Src Port: kerberos (88), Dst Port: 32788 (32788)
Kerberos AS-REP
Pvno: 5
MSG Type: AS-REP (11)
padata: PA-PW-SALT
Type: PA-PW-SALT (3)
Value: 57494E444F5753323030332E484F4D455445535455534552...
Client Realm: WINDOWS2003.HOME
Client Name (Principal): TESTUSERSPN/DES
Ticket
enc-part des-cbc-crc
which uses a Salt of: 57 49 4e 44 4f 57 53 32 30 30 33 2e 48 4f 4d 45 54 45
53 54 55 53 45 52 53 50 4e 44 45 53 =
WINDOWS2003.HOMETESTUSERSPNDES
The Salt stored in the keytab is the correct value:
hexdump -C DESUSER.keytab
00000000 05 02 00 00 00 3b 00 02 00 10 57 49 4e 44 4f 57
|.....;....WINDOW|
00000010 53 32 30 30 33 2e 48 4f 4d 45 00 0b 54 45 53 54
|S2003.HOME..TEST|
00000020 55 53 45 52 53 50 4e 00 03 44 45 53 00 00 00 01
|USERSPN..DES....|
00000030 00 00 00 00 03 00 01 00 08 d9 25 94 0d 9b e5 c4
|..........%.....|
00000040 ec |.|
00000041
.
A ktpass against a Computer account is:
ktpass /crypto des-cbc-crc /desonly /ptype KRB5_NT_PRINCIPAL /rndpass /out
DESCOMPUTER.keytab /princ TESTSPN/DES at WINDOWS2003.HOME /mapuser
testDES$@WINDOWS2003.HOME
Targeting domain controller: w2k3.windows2003.home
Using legacy password setting method
Successfully mapped TESTSPN/DES to TESTDES$.
WARNING: Account TESTDES$ is not a user account (uacflags=0x201021).
WARNING: Resetting TESTDES$'s password may cause authentication problems if
TEST
DES$ is being used as a server.
Reset TESTDES$'s password [y/n]? y
WARNING: pType and account type do not match. This might cause problems.
Key created.
Output keytab to DESCOMPUTER.keytab:
Keytab version: 0x502
keysize 55 TESTSPN/DES at WINDOWS2003.HOME ptype 1 (KRB5_NT_PRINCIPAL) vno 4
etype
0x1 (DES-CBC-CRC) keylength 8 (0xd54585c48cd31aa7)
Account TESTDES$ has been set for DES-only encryption.
A kinit -kt DESCOMPUTER.keytab TESTSPN/DES at WINDOWS2003.HOME fails with the
following AS-REQ/AS-REP
No. Time Source Destination Protocol
Info
1 0.000000 opensuse.suse.home w2k3.windows2003.home KRB5
AS-REQ
Frame 1 (223 bytes on wire, 223 bytes captured)
Linux cooked capture
Internet Protocol, Src: opensuse.suse.home (192.168.1.7), Dst:
w2k3.windows2003.home (192.168.1.5)
User Datagram Protocol, Src Port: 32789 (32789), Dst Port: kerberos (88)
Kerberos AS-REQ
Pvno: 5
MSG Type: AS-REQ (10)
KDC_REQ_BODY
No. Time Source Destination Protocol
Info
2 0.002378 w2k3.windows2003.home opensuse.suse.home KRB5 KRB
Error: KRB5KDC_ERR_PREAUTH_REQUIRED
Frame 2 (305 bytes on wire, 305 bytes captured)
Linux cooked capture
Internet Protocol, Src: w2k3.windows2003.home (192.168.1.5), Dst:
opensuse.suse.home (192.168.1.7)
User Datagram Protocol, Src Port: kerberos (88), Dst Port: 32789 (32789)
Kerberos KRB-ERROR
Pvno: 5
MSG Type: KRB-ERROR (30)
stime: 2006-05-07 14:12:48 (Z)
susec: 518668
error_code: KRB5KDC_ERR_PREAUTH_REQUIRED (25)
Realm: WINDOWS2003.HOME
Server Name (Unknown): krbtgt/WINDOWS2003.HOME
e-data
padata: PA-ENCTYPE-INFO PA-ENC-TIMESTAMP PA-PK-AS-REP
Type: PA-ENCTYPE-INFO (11)
Value: 306E3035A003020103A12E042C57494E444F575332303033...
des-cbc-md5 des-cbc-crc
Encryption type: des-cbc-md5 (3)
Salt:
57494E444F5753323030332E484F4D45686F737474657374...
Encryption type: des-cbc-crc (1)
Salt:
57494E444F5753323030332E484F4D45686F737474657374...
Type: PA-ENC-TIMESTAMP (2)
Value: <MISSING>
Type: PA-PK-AS-REP (15)
Value: <MISSING>
No. Time Source Destination Protocol
Info
3 0.004774 opensuse.suse.home w2k3.windows2003.home KRB5
AS-REQ
Frame 3 (289 bytes on wire, 289 bytes captured)
Linux cooked capture
Internet Protocol, Src: opensuse.suse.home (192.168.1.7), Dst:
w2k3.windows2003.home (192.168.1.5)
User Datagram Protocol, Src Port: 32789 (32789), Dst Port: kerberos (88)
Kerberos AS-REQ
Pvno: 5
MSG Type: AS-REQ (10)
padata: PA-ENC-TIMESTAMP
Type: PA-ENC-TIMESTAMP (2)
Value: 3031A003020101A22A0428425CFA2F38F4BEF07CF5961116...
des-cbc-crc
Encryption type: des-cbc-crc (1)
enc PA_ENC_TIMESTAMP:
425CFA2F38F4BEF07CF5961116D458F72B43CF7754348FC9...
KDC_REQ_BODY
No. Time Source Destination Protocol
Info
4 0.007739 w2k3.windows2003.home opensuse.suse.home KRB5 KRB
Error: KRB5KDC_ERR_PREAUTH_FAILED
Frame 4 (279 bytes on wire, 279 bytes captured)
Linux cooked capture
Internet Protocol, Src: w2k3.windows2003.home (192.168.1.5), Dst:
opensuse.suse.home (192.168.1.7)
User Datagram Protocol, Src Port: kerberos (88), Dst Port: 32789 (32789)
Kerberos KRB-ERROR
Pvno: 5
MSG Type: KRB-ERROR (30)
stime: 2006-05-07 14:12:48 (Z)
susec: 534293
error_code: KRB5KDC_ERR_PREAUTH_FAILED (24)
Realm: WINDOWS2003.HOME
Server Name (Unknown): krbtgt/WINDOWS2003.HOME
e-data
the AD kdc asks for a Salt of: 57 49 4e 44 4f 57 53 32 30 30 33 2e 48 4f 4d
45 68 6f 73 74 74 65 73 74 64 65 73 2e 77 69 6e 64 6f 77 73 32 30 30 33 2e
68 6f 6d 65 = WINDOWS2003.HOMEhosttestdes.windows2003.home
whereas the Salt stored in the keytab by ktpass is:
WINDOWS2003.HOMETESTSPNDES
hexdump -C DESCOMPUTER.keytab
00000000 05 02 00 00 00 37 00 02 00 10 57 49 4e 44 4f 57
|.....7....WINDOW|
00000010 53 32 30 30 33 2e 48 4f 4d 45 00 07 54 45 53 54
|S2003.HOME..TEST|
00000020 53 50 4e 00 03 44 45 53 00 00 00 01 00 00 00 00
|SPN..DES........|
00000030 04 00 01 00 08 d5 45 85 c4 8c d3 1a a7 |......E......|
0000003d
Regards
Markus
More information about the Kerberos
mailing list