Test keytab file windows

In this article we will show how to create a keytab file for the SPN of a linked Active Directory account using ktpass tool. The most often, a separate Active Directory user account is created for a service that requires using a keytab file.

However, you can also use a computer object to do it. SPN is used by Kerberos authentication to map a service instance to an AD account this is why apps may authenticate as services even if they do not know a user name. First, create a service account in AD and set a known password for it. You can create an account from the graphic ADUC console dsa. In the next step bind a service principal name SPN to the user account.

In summary, keytabs are used to either 1 authenticate the service itself to another service on the network, or 2 decrypt the Kerberos service ticket of an inbound directory user to the service. This article mainly delves into how a keytab is used in situations on mixed networks, where Microsoft Active Directory Domain is the KDC providing enterprise directory services for a heterogeneous network comprised of both Windows and non-Windows systems such as Linux and Java-based application servers and it is desired that AD users accessing some service for example, HTTP on a non-Windows system be silently authenticated not challenged for credentials into that system using their AD username.

Since such a system might not be participating in the AD domain in any other way, there must be some common authentication mechanism to allow this to work.

The Kerberos single sign-on SSO protocol accomplishes this task. Think of the SPN as the centerpiece to this arrangement, and the keytab as the glue. SPNs will be the topic of another article; we will focus only on the keytab in this conversation.

Kerberos keytabs, also known as key table files, are only employed on non-Windows servers. This is also why Kerberos client configuration files, such as krb5. And then only in the case where the administrator wishes to integrate their application server to AD via Kerberos SSO.

In other words, if you wish for your client systems to logon to the non-Windows system using their AD credentials via SSO not challenged again for username and password and be silently authenticated to the application server, a keytab will be required. This is the critical role of the keytab during Kerberos authentication. The Keytab must be generated on either a member server or a domain controller of the Active Directory domain using the ktpass.

Use the Windows Server built-in utility ktpass. The ktpass command must be run on either a member server or a domain controller of the Active Directory domain. The LDAP bind error indicates that ktpass can't authenticate you to the domain controller; are you logged into a domain account when this happens? It has to be a domain account, rather than a local one and it must be authorized to make the necessary changes to AD, though lacking just that would give a permission error rather than bind.

The AD TGT the user gets upon logging in is then sufficient to acquire credentials for services in the Unix realm as well; e. Stack Overflow for Teams — Collaborate and share knowledge with a private group. Create a free Team What is Teams? Collectives on Stack Overflow. Learn more. Creating a keytab to use with kinit in Windows Ask Question. Asked 9 years, 7 months ago. Active 4 years ago. My issue is that I want to use one keytab in multiple computers and do not want to attach keytab only to one computer.

Both are valid. You may want your application to run under the security context of the computer or a user account. Typically, you want your app to run as a user, that you grant only the specific rights needed for the application to work. I think this is the more common scenario, so I've shown the commands to create a keytab for a user.

Brian, your article and comments helped me to understand a little better the process. So, even if this is not the responsibility of my role, I can provide a good support for the pre-requisites.

Do you still maintain the site? Still Here, though I've changed jobs so I blog about other things recently. My other site is BehindTheRacks. Brian, you stated on November 25th in the comments the following "You may want your application to run under the security context of the computer or a user account". Do I understand it correctly that when I run multiple Samba instances each with their own config, etc on 1 server I would have to [email protected] and [email protected] to get a keytab file for each samba instance specifically.

I've never tried to put multiple instances of samba on the same server, but I assume that's correct. Each instance would have its own principal, and therefore require its own keytab.

Hi Brain, Thanks for your blog, your article helped me to understand a little better.