AD 2003; MS's ktpass made account corrupted

Henoc henoc at gbconcept.com
Thu Dec 13 10:49:56 EST 2007 

Excuse me dear Douglas , 
but I'm French and my english sucks  a little bit .

*) The machine is a windows XP Pro box.
Already belonging to a domain.
           the ": (not that the computer pre-exist in"
           Was a misspell of " (note that the computer pre-exist..."


*) The machine name is WWWSRVHOST which is ALSO is Host name under windows
as far as I know ? because on the Win2003 box it shows these spn : HOST/
WWWSRVHOST.... like this BEFORE any of our changes .

*)The AD Domain name on site was CCIAL.local (that is the way windows2003
spells a simple domain name.)
For trying to not pollute the case I tried to say it is just a FQDN (fully
qualified domain name) because if this is a trouble I will make them change
that after.

So excuse me for the misspelling between FQDN and FDN. 
Next time I will take more time to re-read my post. Specially in a foreign
language.
All this was to try not to give you too much annoying details which will
make you lose your time.
Apologizes.


*)
my app is a custom app with webserver (NO IIS) and provides some SSO
facilities via Java and SPNEGO. That's why I have to do all this stuff :
to get the keytab of the XP computer which hosts my web app.
This is needed for the SSO to work.
The web server uses some Java 6 techs including the JAAS layer for security
which is the one that allows the Kerberos token handshaking.




*)
I talked about cygwin just because it seems mskutil works only under unix.
They don't have a "real" DNS as they are a simple organization ; just
windows boxes. So DNS setting is not a real problem here.

  ( * )  ( * )  ( * )
I hope I'm little bit more clear now ?!
  ( * )  ( * )  ( * )
My job is to give this infamous keytab for the app.
And for this to work in sun tutorials they ask for the keytab of the
computer hosting the webserver.

Now I must confess I'm lost :
It seems you are telling me I should make another spn's keytab but not the
machine's one ? I don't know how all this will work then as Sun was asking
for the machine's keytab.


I'm not at the office to try all these 
Will be there only tomorrow afternoon or Monday.
 


Thank you for your time and your help.
Sincerly


-----Message d'origine-----
De : Douglas E. Engert [mailto:deengert at anl.gov] 
Envoyé : jeudi 13 décembre 2007 16:15
À : Henoc
Cc : kerberos at mit.edu
Objet : Re: AD 2003; MS's ktpass made account corrupted



Henoc wrote:
> Thanks Douglas for your help.
> 
> Just one thing to make clear for me (I'm not a Kerberos specialist so I
> would like to be sure ) :
> 
> So I got my computer WWWSRVHOST  joined to my domain 
> It has most of the time these spn already made by AD :
> HOST/WWWSRVHOST at FQDN.com

(Some of you examples use FQDN, some FDN. You refer to the machine
as WWWSRVHOST but it also has a DNS hostname. You attempts
at obfuscating the information in the e-mail is making
it hard to understand your situation.

First of all, is the computer WWWSRVHOST a Windows machine?
Is WWWSRVHOST the name?
What is its  DNS name?
Is it joined to the domain?
What is the AD domain name?

And you want to run a web server on it?
If this is all Microsoft servers and web servers, you should not
have to create any keytabs. It should be done for you.

Are trying to run some web server under cygwin?

If so use two seperate windows accounts, one for the host service
handled by windows join, and one for the HTTP service,
and use ktpass. (This keeps them seperate, and avoids the common
passwrod issue.)

The account name does not have to be the spn.

> 
> My goal is :
> - (1) - to add a HTTP/WWWSRVHOST at FDN.com  SPN to my computer's entry
> - (2) - then to produce the corresponding Keytab file
> 
> So to reach this :
> a)- under a unix box or via cygwin on the same windows I have to install
> mskutil (didn't succeed finding a windows version )

No there is no. You should not need this with windows.

> 
> b)- emit these kind of command line : (not that the computer pre-exist in
> the domain; 

You said the computer was joined. Now you say it is no.

in most of my client environment it is a windows box on which I
> have to install my stuff)
> 
> msktutil -b <base> -k <file> s <HTTP/WWWSRVHOST at FDN.com >

Did you actually get it to run?

> 
> 
> Is that all so simple  ?? I can't believe I have been turning around for
> decades for something so easy. 
> Should post this on different forums to avoid this for other people.
> I can test before Friday or Monday
> 
> If I made some huge mistake in my understanding, please let me know
> 
> Thanks again for your help, which was very useful 
> 
> Sincerely
> 
>

More information about the Kerberos mailing list