windows 2003 AD and keytab file generation

Douglas E. Engert deengert at
Wed Jul 2 10:02:06 EDT 2008

Shambhulal R. Sharma wrote:
> Hi All
> I am trying to use Active Directory installed on Windows Server 2003 as
> KDC. I followed the Microsoft step-by-step guide
> to create a
> windows user account, ktpass command to map a service principal name to
> the windows user account and generate a keytab file. So far I can map
> one service principal name to one windows user account which works fine.
> I have a requirement where multiple services running on a system should
> map their service principals to a single Windows User preferably
> computer account. I would like to generate/prepare a single keytab file
> for all service [ftp,http, etc.] principal names using ktpass and ktutil
> commands.

 From reading your note and notes from others in the past, you may be confused
by the use of the term "user account" in the Microsoft article. You need to have
an account for the service, which has objectClass:  top, person,
organizationalPerson and user. (It can also have an objectClass  computer.)
This account has nothing to do with the users who will use the service.
It is an account for the service. It has to have a sAMAccountName that is
restricted to 19 characters and unique in the forest. We use a convention
something like:     <service>-<simplehostname>-<div>
a fictional example:    host-mylinux-it
and the servicePrincipalName would be:  host/ at GA.COM
The account can be located anywhere in the directory tree.

> My questions:
> Is it possible to use a computer account to map multiple service
> principal names. I know about setspn command which can allow
> add/delete/list operations to manage service principal association with
> a windows user/computer account.

Yes. But note that since there is only one password per account, all these
principals will uses the same password to generate the keys. With RC4 there
is no salt so they will have the same key. This may not be what you want.

> The problem seems to be with ktpass command, I do not know how I can
> generate keytab file for all service principal associated with a single
> user/computer account. Every time I try to use the ktpass -princ ...
> command it changes the kvno number which invalidates the previous keytab
> files. I tried ktpass with multiple -princ <...> -princ <...> options,
> which generates the keytab file only for the last principal name
> specified in the ktpass command line.

The best way to do this is assign a different account for each service,
so each has its own password and thus a different key.
  host-mylinux   host/ at GA.COM
  HTTP-mylinux   HTTP/ at GA.COM

You could then ues the unix tools to merge keytab files generated
by ktpass if needed.

Or you could use something like msktutil or the Solaris scripts
to do all the ldap commands to AD to add/mod accounts and manage keytabs.

> Is it possible to have multiple service principals associated with a
> single computer/user account. Due to some security reasons this is not
> permitted on Windows.

Yes it is, but the will share the same key.

> <>  
> ________________________________________________
> Kerberos mailing list           Kerberos at


  Douglas E. Engert  <DEEngert at>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444

More information about the Kerberos mailing list