Extracting service keys from Windows DC or AD

Douglas E. Engert deengert at anl.gov
Mon Oct 30 10:32:54 EST 2006

akshar kanak wrote:

>  Dear Team
>      Is it possible to directly extract  the service keys (secrect key
> shared between KDC and target server) from windows 2003 Domain Controller or
> Active directory for SPN cifs,smtpsvc,rpc, host etc  and place them in
> keytab files which can be merged with Linux keytab file instead of
> adding new service to the AD using ktpass.exe.

AD does not store the keys, but a password associated with the account.
Thus the UPN and all the SPNs for the account share the same key. Thus
AD can generate a key for any crypto on the fly. If a salt is needed it
is taken from the SAMAccountName on W2k and from the UPN on W2K3.
So if you change the account password, all the keys change too.

In addition to the list of programs Michael listed, there is also msktutil
writen by Dan Perry. Google for msktutil to find a version.
For example:  http://download.systemimager.org/~finley/msktutil/

Msktutil run on unix, uses OpenLDAP with SASL to authenticate to AD
as an admin to add accounts and principals to the accounts, and maintain

> Thanks and Regards
> Akshar
> ________________________________________________
> Kerberos mailing list           Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos


  Douglas E. Engert  <DEEngert at anl.gov>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444

More information about the Kerberos mailing list