Ktpass not creating keytab file

If the user is found but ktpass fails to create the keytab, there may be problems with the domain controller setup. If the DNS test fails, it is probable that some of the DNS entries required by the domain controller are not registered.

All Rights Reserved. Note The legacy user name is used when mapping the user account to avoid issues of long Win usernames that are not supported by ktpass. If you get output similar to:.

If you modify the keytab in any way after you create it, in my experience you will invalidate it and it won't work anymore. A new keytab would have to be generated to work with the service principal again. There are two parts to a keytab. The keytab file itself, and the AD account it was associated with during the keytab creation process. What makes them "joined" is that fact that the SPN and long-term key are the same in both.

That the long-term key is the same on both sides is the symmetric key cryptography aspect. The below image shows the AD user account associated with our keytab, with focus on the Account tab. After the keytab generation, the User logon name changes into an SPN, so it can be found by Kerberos clients looking it up. The checkbox must be manually selected after the keytab generation otherwise you'll receive an error along the lines of ' Cannot find key of appropriate type to decrypt AP REP In typical scenarios, you will only need one keytab to authenticate users coming into an application server, such as for a garden-variety web server.

If Kerberos is enabled at the web application level, as in the case when the web application is using Java's Spring Security, then you will likely need an additional keytab for each new SPN. Office Office Exchange Server. Not an IT pro? United States English. Post an article. Subscribe to Article RSS. Click Sign In to add the tip, solution, correction or comment that will help other users. Report inappropriate content using these instructions. The password of the AD account krbCentos is randomized.

Submit and view feedback for This product This page. View all page feedback. In this article. Specifies the name of the Kerberos version 5. Note: This is the. Warning: This parameter is case-sensitive. Maps the name of the Kerberos principal, which is specified by the princ parameter, to the specified domain account. Specifies how the mapping attribute is set.

Add - Adds the value of the specified local user name. This is the default. DES-only encryption is set by default. Important: Windows doesn't support DES by default. Specifies the. Specifies a password for the principal user name that is specified by the princ parameter. All - States that all supported cryptographic types can be used. Specifies the iteration count that is used for AES encryption.