Bizzare problem with authenticating a service principal with AD
Luke Howard
lukeh at padl.com
Mon Mar 12 18:25:27 EDT 2007
>What version of Windows is running on the AD server? One problem I
>think I've seen is that in some recent versions of Windows, AD uses a
>different salt for the password than the usual principal-name salt.
>(AD stores the actual password, rather than a key.) I thought this
>should only be a problem if you're typing a password into an MIT krb5
>ktutil or similar keytab tool, but I think ktpass may have the same
>problem.
Note that rc4-hmac keys are unsalted, and AD does store keys rather
than passwords (Windows workstations joined to a domain store the
password).
-- Luke
--
www.padl.com | www.lukehoward.com
More information about the Kerberos
mailing list