Creating an MIT style keytab for an existing Windows AD member computer

[Edward Irvine]

Hi,

I'd like to find out if there is any way to extract a HOST keytab for  
a windows computer that is already a member of an active directory  
domain.

A Java developer I look after wants to do the single sign on thing to  
his web application. Our environment is a mixed Active Directory and  
Solaris environment.

By creating a new user in active directory, and mapping the user to a  
service principle using ktpass.exe, we now have SPNEGO single sign on  
working between the clients Internet Explorer and the JBoss server on  
*Solaris*. So far so good.

The developer, who uses a Windows workstation that is part the Active  
Directory domain, now wants the SPNEGO authentication to work in his  
own windows workstation - and for that to work I need to get the  
keytab for the host/pingname.of.host at KERBEROS.REALM.NAME

A quick LDAP lookup of his workstation in AD reveals that it already  
has a servicePrincipalName of HOST/pingname.of.host - so presumably I  
can extract the keytab somehow. But how?

I don't personally have admin access to the AD domain, but I work  
with the folks who do.

Eddie