Bizzare problem with authenticating a service principal with AD

Luke Howard lukeh at padl.com
Mon Mar 12 18:25:27 EDT 2007


>What version of Windows is running on the AD server?  One problem I
>think I've seen is that in some recent versions of Windows, AD uses a
>different salt for the password than the usual principal-name salt.
>(AD stores the actual password, rather than a key.)  I thought this
>should only be a problem if you're typing a password into an MIT krb5
>ktutil or similar keytab tool, but I think ktpass may have the same
>problem.

Note that rc4-hmac keys are unsalted, and AD does store keys rather
than passwords (Windows workstations joined to a domain store the
password).

-- Luke

--
www.padl.com | www.lukehoward.com



More information about the Kerberos mailing list