windows 2003 AD and keytab file generation

[Shambhulal R. Sharma]

Hi All
 
I am trying to use Active Directory installed on Windows Server 2003 as
KDC. I followed the Microsoft step-by-step guide
http://technet.microsoft.com/en-us/library/bb742433.aspx to create a
windows user account, ktpass command to map a service principal name to
the windows user account and generate a keytab file. So far I can map
one service principal name to one windows user account which works fine.
 
I have a requirement where multiple services running on a system should
map their service principals to a single Windows User preferably
computer account. I would like to generate/prepare a single keytab file
for all service [ftp,http, etc.] principal names using ktpass and ktutil
commands.
 
My questions:
 
Is it possible to use a computer account to map multiple service
principal names. I know about setspn command which can allow
add/delete/list operations to manage service principal association with
a windows user/computer account.
 
The problem seems to be with ktpass command, I do not know how I can
generate keytab file for all service principal associated with a single
user/computer account. Every time I try to use the ktpass -princ ...
command it changes the kvno number which invalidates the previous keytab
files. I tried ktpass with multiple -princ <...> -princ <...> options,
which generates the keytab file only for the last principal name
specified in the ktpass command line.
 
Is it possible to have multiple service principals associated with a
single computer/user account. Due to some security reasons this is not
permitted on Windows.
 
SAM SHARMA
 
 
 
<http://technet.microsoft.com/en-us/library/bb742433.aspx#EBAA>