Generate Keytab File

Generate Keytab File Kerberos
  • Generate Keytab File Windows
  • Generate Keytab File Linux
  • Generate Keytab File

    • To generate a keytab file, you will need to use the support tools from the Windows CD on your domain controller. Start by installing them if they are not already installed.
    File
    For more information about Windows Server Support Tools, see http://technet.microsoft.com/en-us/library/cc758202%28WS.10%29.aspx.

    The keytab file is an encrypted, local, on-disk copy of the host's key. The keytab file, like the stash file (Create the Database) is a potential point-of-entry for a break-in, and if compromised, would allow unrestricted access to its host. The keytab file should be readable only by root, and should exist only on the machine's local disk. To create a principal and generate a keytab file, you can use the kadmin command. If you generate the keytab file on another host, you need to get a copy of the keytab file onto the destination host ( trillium, in the above example) without sending it unencrypted over the network. To Create a Kerberos principal and keytab files for each encryption type you use: 1.

    These support tools include the ktpass utility. Use this utility to create a keytab for the EC account, as follows:
    ktpass /pass <User Password of the Authentication Service AD account> /mapuser <Legacy User Name of the AD account> /out <ec.keytab> /princ HTTP/<FQDN>@<DOMAIN NAME> /ptype KRB5_NT_PRINCIPAL /crypto RC4-HMAC-NT /Target <DOMAIN NAME>
    The utility generates the file <ec.keytab> in your working directory. You will upload this keytab file to Authentication Service later.
    The legacy user name used as the /mapuser argument should match the sAMAccountName in Active Directory. This is also the User logon name you set up in Add a user account to Active Directory.
    keysize 105 HTTP/ec001.mydomain.com@DEV.MYDOMAIN.COM ptype 1 (KRB5_NT_PRINCIPAL) vno 3 etype 0x17 (RC4-HMAC) keylength 16 (0x4968e35c0c5586d1f63a9454e242d1c4)
    WARNING: search term '(& (objectClass=person) (samaccountname=authuser))' produced no results.
    Failed to locate user '(& (objectClass=person) (samaccountname=authuser))'.
    check that the /mapuser and /pass arguments correspond to the user created in Active Directory for Authentication Service

    Generate Keytab File Kerberos

    If the user is found but ktpass fails to create the keytab, there may be problems with the domain controller setup. Run the netdiag command (also part of the Windows Server 2003 Support Tools), and check that the DNS and Kerberos tests pass.
    If the DNS test fails, it is probable that some of the DNS entries required by the domain controller are not registered. In this case, try running ipconfig /registerdns to see if this fixes the problem.

    Quick Links



    Parameters

    Parameter

    Description

    /out <FileName>

    Specifies the name of the Kerberos version 5 .keytab file to generate.

    Note

    This is the .keytab file that you transfer to a computer that is not running the Windows operating system, and then replace or merge with your existing .keytab file, /Etc/Krb5.keytab.

    /princ <PrincipalName>

    Specifies the principal name in the form host/computer.contoso.com@CONTOSO.COM.

    Warning

    This parameter is case sensitive. See Remarks for more information.

    /mapuser <UserAccount>

    Maps the name of the Kerberos principal, which is specified by the princ parameter, to the specified domain account.

    /mapop {add|set}

    Specifies how the mapping attribute is set.

    • Add adds the value of the specified local user name. This is the default.

    • Set sets the value for Data Encryption Standard (DES)-only encryption for the specified local user name.

    {-|+}desonly

    DES-only encryption is set by default.

    • + Sets an account for DES-only encryption.

    • - Releases restriction on an account for DES-only encryption.

    Important

    Beginning with Windows 7 and Windows Server 2008 R2, Windows does not support DES by default.

    /in <FileName>

    Specifies the .keytab file to read from a host computer that is not running the Windows operating system.

    /pass {Password|*|{-|+}rndpass}

    Specifies a password for the principal user name that is specified by the princ parameter. Use '*' to prompt for a password.

    /minpass

    Sets the minimum length of the random password to 15 characters.

    /maxpass

    Sets the maximum length of the random password to 256 characters.

    /crypto {DES-CBC-CRC|DES-CBC-MD5|RC4-HMAC-NT|AES256-SHA1|AES128-SHA1|All}

    Specifies the keys that are generated in the keytab file:

    • DES-CBC-CRC is used for compatibility.

    • DES-CBC-MD5 adheres more closely to the MIT implementation and is used for compatibility.

    • RC4-HMAC-NT employs 128-bit encryption.

    • AES256-SHA1 employs AES256-CTS-HMAC-SHA1-96 encryption.

    • AES128-SHA1 employs AES128-CTS-HMAC-SHA1-96 encryption.

    • All states that all supported cryptographic types can be used.

    Note

    The default settings are based on older MIT versions. Therefore, /crypto should always be specified.

    /itercount

    Specifies the iteration count that is used for AES encryption. The default is that itercount is ignored for non-AES encryption and set at 4,096 for AES encryption.

    /ptype {KRB5_NT_PRINCIPAL|KRB5_NT_SRV_INST|KRB5_NT_SRV_HST}

    Specifies the principal type.

    • KRB5_NT_PRINCIPAL is the general principal type (recommended).

    • KRB5_NT_SRV_INST is the user service instance.

    • KRB5_NT_SRV_HST is the host service instance.

    /kvno <KeyVersionNum>

    Specifies the key version number. The default value is 1.

    /answer {-|+}

    Sets the background answer mode:

    - Answers reset password prompts automatically with NO.

    + Answers reset password prompts automatically with YES.

    /target

    Sets which domain controller to use. The default is for the domain controller to be detected, based on the principal name. If the domain controller name does not resolve, a dialog box will prompt for a valid domain controller.

    /rawsalt

    Forces Ktpass to use the rawsalt algorithm when generating the key. This parameter is not needed.

    {-|+}dumpsalt

    The output of this parameter shows the MIT salt algorithm that is being used to generate the key.

    {-|+}setupn

    Sets the user principal name (UPN) in addition to the service principal name (SPN). The default is to set both in the .keytab file.

    {-|+}setpass <Password>

    Sets the user's password when supplied. If rndpass is used, a random password is generated instead.

    /?|/h|/help

    Displays command-line Help for Ktpass.

    Remarks

    Services running on systems that are not running the Windows operating system can be configured with service instance accounts in Active Directory Domain Services. This allows any Kerberos client to authenticate to services that are not running the Windows operating system by using Windows KDCs.

    The /princ parameter is not evaluated by Ktpass and is used as provided. There is no check to see if the parameter matches the exact case of the userPrincipalName attribute value when generating the Keytab file. Case sensitive Kerberos distributions using this Keytab file might have problems when there is no exact case match and could fail during pre-authentication. Check and retrieve the correct userPrincipalName attribute value from a LDIFDE export file. For example:

    Examples

    The following example illustrates how to create a Kerberos .keytab file, machine.keytab, in the current directory for the user Sample1. (You will merge this file with the Krb5.keytab file on a host computer that is not running the Windows operating system.) The Kerberos .keytab file will be created for all supported encryption types for the general principal type.

    Generate Keytab File Windows

    To generate a .keytab file for a host computer that is not running the Windows operating system, use the following steps to map the principal to the account and set the host principal password:

    Generate Keytab File Linux

    1. Use the Active Directory User and Computers snap-in to create a user account for a service on a computer that is not running the Windows operating system. For example, create an account with the name Sample1.

    2. Use Ktpass to set up an identity mapping for the user account by typing the following at a command prompt:

      Note

      You cannot map multiple service instances to the same user account.

    3. Merge the .keytab file with the /Etc/Krb5.keytab file on a host computer that is not running the Windows operating system.

    Generate Keytab File

    Additional references

    Comments are closed.