Kerberos - ktpass

1 - About

Configures the server principal name for the host or service in active directory Domain Services (AD DS) and generates a .keytab file that contains the shared secret key of the service.

The Ktpass command-line tool allows non-Windows services that support Kerberos authentication to use the interoperability features provided by the Kerberos Key Distribution Center (KDC) service.

3 - Example

  • Generate keytab in the current working directory.
ktpass -out <file>.keytab -mapuser <username>@REALM-IN-CAPS  -pass <of-user>  -crypto all  -ptype KRB5_NT_PRINCIPAL  -princ spn-of-user@REALM-IN-CAPS

4 - Usage

Command line options:

---------------------most useful args
[- /]          out : Keytab to produce
[- /]        princ : Principal name ([email protected])
[- /]         pass : password to use
                     use '*' to prompt for password.
[- +]      rndPass : ... or use +rndPass to generate a random password
[- /]      minPass : minimum length for random password (def:15)
[- /]      maxPass : maximum length for random password (def:256)
---------------------less useful stuff
[- /]      mapuser : map princ (above) to this user account (default: don't)
[- /]        mapOp : how to set the mapping attribute (default: add it)
[- /]        mapOp :  is one of:
[- /]        mapOp :        add : add value (default)
[- /]        mapOp :        set : set value
[- +]      DesOnly : Set account for des-only encryption (default:don't)
[- /]           in : Keytab to read/digest
---------------------options for key generation
[- /]       crypto : Cryptosystem to use
[- /]       crypto :  is one of:
[- /]       crypto : DES-CBC-CRC : for compatibility
[- /]       crypto : DES-CBC-MD5 : for compatibility
[- /]       crypto : RC4-HMAC-NT : default 128-bit encryption
[- /]       crypto : AES256-SHA1 : AES256-CTS-HMAC-SHA1-96
[- /]       crypto : AES128-SHA1 : AES128-CTS-HMAC-SHA1-96
[- /]       crypto :        All : All supported types
[- /]    IterCount : Iteration Count used for AES encryption
                     Default: ignored for non-AES, 4096 for AES
[- /]        ptype : principal type in question
[- /]        ptype :  is one of:
[- /]        ptype : KRB5_NT_PRINCIPAL : The general ptype-- recommended
[- /]        ptype : KRB5_NT_SRV_INST : user service instance
[- /]        ptype : KRB5_NT_SRV_HST : host service instance
[- /]        ptype : KRB5_NT_SRV_XHST :
[- /]         kvno : Override Key Version Number
                     Default: query DC for kvno. Use /kvno 1 for Win2K compat.
[- +]       Answer : +Answer answers YES to prompts. -Answer answers NO.
[- /]       Target : Which DC to use. Default:detect
[- /]      RawSalt : raw salt to use when generating key (not needed)
[- +]     DumpSalt : show us the MIT salt being used to generate the key
[- +]       SetUpn : Set the UPN in addition to the SPN. Default DO.
[- +]      SetPass : Set the user's password if supplied.

5 - installation

  • Not needed on windows
C:\Windows\System32\ktpass.exe
  • generally available on Linux

6 - Documentation / Reference

security/kerberos/ktpass.txt ยท Last modified: 2018/07/26 13:52 by gerardnico