Extracting service keys from Windows DC or AD

Michael B Allen mba2000 at ioplex.com
Sat Oct 28 11:59:41 EDT 2006

On Sat, 28 Oct 2006 14:40:26 +0530
"akshar kanak" <akshar.kerberos at gmail.com> wrote:

> Dear Team
>      Is it possible to directly extract  the service keys (secrect key
> shared between KDC and target server) from windows 2003 Domain Controller or
> Active directory for SPN cifs,smtpsvc,rpc, host etc  and place them in
> keytab files which can be merged with Linux keytab file instead of
> adding new service to the AD using ktpass.exe.

Not in a reasonable and reliable way no. There is a tool called ktexport
but it has severe limitations (really meant for importing keytabs into
the Wireshark packet sniffer). The Samba guys have "vampire" code that
I think can do what you want but I don't know much about it.

Also, note that SPNs are mapped to accounts and you really want the keys
associated with accounts. So keytab entries for cifs and rpc would have
the same key.


Michael B Allen
PHP Active Directory SSO

More information about the Kerberos mailing list