Extracting service keys from Windows DC or AD
Douglas E. Engert
deengert at anl.gov
Mon Oct 30 10:32:54 EST 2006
akshar kanak wrote:
> Dear Team
> Is it possible to directly extract the service keys (secrect key
> shared between KDC and target server) from windows 2003 Domain Controller or
> Active directory for SPN cifs,smtpsvc,rpc, host etc and place them in
> keytab files which can be merged with Linux keytab file instead of
> adding new service to the AD using ktpass.exe.
AD does not store the keys, but a password associated with the account.
Thus the UPN and all the SPNs for the account share the same key. Thus
AD can generate a key for any crypto on the fly. If a salt is needed it
is taken from the SAMAccountName on W2k and from the UPN on W2K3.
So if you change the account password, all the keys change too.
In addition to the list of programs Michael listed, there is also msktutil
writen by Dan Perry. Google for msktutil to find a version.
For example: http://download.systemimager.org/~finley/msktutil/
Msktutil run on unix, uses OpenLDAP with SASL to authenticate to AD
as an admin to add accounts and principals to the accounts, and maintain
keytabs.
>
> Thanks and Regards
> Akshar
> ________________________________________________
> Kerberos mailing list Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
>
>
--
Douglas E. Engert <DEEngert at anl.gov>
Argonne National Laboratory
9700 South Cass Avenue
Argonne, Illinois 60439
(630) 252-5444
More information about the Kerberos
mailing list