Skip to content
Advertisement

Windows AD and Its Key tab File

I just have a simple question . I have windows Active directory . I have created key tab file from it with command :

ktpass /princ host/User1.contoso.com@CONTOSO.COM /mapuser User1 /pass MyPas$w0rd /out machine.keytab /crypto all /ptype KRB5_NT_PRINCIPAL /mapop set

Now as per my understanding this file consist of username along with its password in encrypted format. When I will try to authenticate with this keytab file, Request served by the file only or This will further communicate with Windows AD to authenticate.

The reason I am asking is because I am getting timedout and I am thinking in that direction if its connecting with AD also because AD is in different VPC altogether.

Advertisement

Answer

There are a few things going on here. People typically authenticate against actual services like HTTP, SSH and such, not HOST. HOST is just the machine itself.

That being said, there are a few more things going on here. You don’t have an hostname defined inside of your keytab – you have a username in there. HOST/ in this case should map to a DNS hostname, not to a username (in your case, User1.contoso.com). In its simplest form, Kerberos is designed to allow user principles (people like you, the user) to authenticate to services on the network (which will be represented as service principles in both the KDC and in the keytab). In more complicated scenarios it is service to service but I think you’re talking about user to service here. I think in this case, Kerberos is getting confused and timing out because “host/User1.contoso.com” either doesn’t exist on the KDC, or you don’t have a machine named User1.constoso.com in DNS, or both. You can still make the Kerberos SPN map to User1, but HOST needs to correspond to a machine on the network. Instead of host/User1.contoso.com@CONTOSO.COM, I would replace User1 with the actual machine name Kerberos will authenticate against. If the machine is named Server1 for example, re-create the keytab as shown below. Please also append the Kerberos realm name to service principle when you create the keytab; you left it out in the example you gave. Finally, Kerberos services should be written in upper case, so use HOST instead of host. To fix this:

  1. Remove the SPN from User1 like this:

    setspn -D host/User1.contoso.com@CONTOSO.COM User1

  2. Re-create the keytab like below (I made three changes) then try it again:

    ktpass /princ HOST/server1.contoso.com@CONTOSO.COM /mapuser user1@CONTOSO.COM /pass MyPas$w0rd /out machine.keytab /crypto all /ptype KRB5_NT_PRINCIPAL /mapop set

NOTE: The keytab never communicates with AD. What it does is decrypt the inbound Kerberos service ticket to tell who the user is. I have a write-up about the mechanics of this here: https://social.technet.microsoft.com/wiki/contents/articles/36470.active-directory-using-kerberos-keytabs-to-integrate-non-windows-systems.aspx.

User contributions licensed under: CC BY-SA
3 People found this is helpful
Advertisement