[30148] in Kerberos
Re: Creating an MIT style keytab for an existing Windows AD member
daemon@ATHENA.MIT.EDU (Michael B Allen)
Wed Jul 23 14:02:40 2008
Message-ID: <78c6bd860807231101o64f71bbfx8cfd14af78ccd4c0@mail.gmail.com>
Date: Wed, 23 Jul 2008 14:01:43 -0400
From: "Michael B Allen" <ioplex@gmail.com>
To: "Edward Irvine" <eirvine@tpg.com.au>
In-Reply-To: <2EFEBB04-5276-442A-9EA3-B9B41FDEC9A7@tpg.com.au>
MIME-Version: 1.0
Content-Disposition: inline
Cc: kerberos@mit.edu
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
On Wed, Jul 23, 2008 at 3:59 AM, Edward Irvine <eirvine@tpg.com.au> wrote:
> Hi,
>
> I'd like to find out if there is any way to extract a HOST keytab for
> a windows computer that is already a member of an active directory
> domain.
>
> A Java developer I look after wants to do the single sign on thing to
> his web application. Our environment is a mixed Active Directory and
> Solaris environment.
>
> By creating a new user in active directory, and mapping the user to a
> service principle using ktpass.exe, we now have SPNEGO single sign on
> working between the clients Internet Explorer and the JBoss server on
> *Solaris*. So far so good.
>
> The developer, who uses a Windows workstation that is part the Active
> Directory domain, now wants the SPNEGO authentication to work in his
> own windows workstation - and for that to work I need to get the
> keytab for the host/pingname.of.host@KERBEROS.REALM.NAME
>
> A quick LDAP lookup of his workstation in AD reveals that it already
> has a servicePrincipalName of HOST/pingname.of.host - so presumably I
> can extract the keytab somehow. But how?
>
> I don't personally have admin access to the AD domain, but I work
> with the folks who do.
Extracting the keys from AD is not possible [1].
However, the ktpass utility from MS can set the password, generate the
corresponding key separately and put it into a keytab file.
Note that you must have at least account operator privilege to set a
password in AD.
Mike
[1] There is a freeware utility called ktexport that can extract the
keys from a DC and dump them into a keytab but it is only (sometimes)
useful for debugging purposes with WireShark. The resulting keytab is
not valid for use with any kind of service.
--
Michael B Allen
PHP Active Directory SPNEGO SSO
http://www.ioplex.com/
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
