Creating an MIT style keytab for an existing Windows AD membercomputer

Paul Moore paul.moore at
Wed Jul 23 13:41:41 EDT 2008

"It could then impersonate any user to the machine"

Can you explain that. I want to make sure I understand all potential
kerb threats, this is a new one to me. 

-----Original Message-----
From: kerberos-bounces at [mailto:kerberos-bounces at] On
Behalf Of Douglas E. Engert
Sent: Wednesday, July 23, 2008 7:19 AM
To: Edward Irvine
Cc: kerberos at
Subject: Re: Creating an MIT style keytab for an existing Windows AD

Edward Irvine wrote:
> Hi,
> I'd like to find out if there is any way to extract a HOST keytab for 
> a windows computer that is already a member of an active directory 
> domain.

Do you have to be use the Windows "host" principal? Can your application
use a different principal, like HTTP or LDAP or make up your own.

Then your application server has its own keyfile, and does not need
access to the one use by Windows for login. There are security issues
with letting an application access this key. It could then impersonate
any user to the machine.

> A Java developer I look after wants to do the single sign on thing to 
> his web application. Our environment is a mixed Active Directory and 
> Solaris environment.
> By creating a new user in active directory, and mapping the user to a 
> service principle using ktpass.exe, we now have SPNEGO single sign on 
> working between the clients Internet Explorer and the JBoss server on 
> *Solaris*. So far so good.

A common misunderstanding when reading the Microsoft docs Kerberos and
service principals has to do with the term "user".
The "user" account referred to with ktpass, is an ldap term for the
objectclass user. Kerberos service principals need a "user" account in
AD. This user account has nothing to do with real users who will
authenticate to the service.

> The developer, who uses a Windows workstation that is part the Active 
> Directory domain, now wants the SPNEGO authentication to work in his 
> own windows workstation - and for that to work I need to get the 
> keytab for the host/ at KERBEROS.REALM.NAME
> A quick LDAP lookup of his workstation in AD reveals that it already 
> has a servicePrincipalName of HOST/ - so presumably I 
> can extract the keytab somehow. But how?
  Not really. They also change the keys every so often, so you don't
want to copy it.

If your Java application needs to act as a server, and really use the
"host" service principal, can you use some Java to SSPI-service class?
(Don't know if one exists.) (GSSAPI and SSPI use the same protocols.)

> I don't personally have admin access to the AD domain, but I work with

> the folks who do.
> Eddie
> ________________________________________________
> Kerberos mailing list           Kerberos at


  Douglas E. Engert  <DEEngert at>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444
Kerberos mailing list           Kerberos at

More information about the Kerberos mailing list