Ktpass |
Applies To: Windows Server 2008
Configures the server principal name for the host or service in Active Directory Domain Services (AD DS) and generates a .keytab file containing the shared secret key of the service. The .keytab file is based on the Massachusetts Institute of Technology (MIT) implementation of the Kerberos authentication protocol. The Ktpass command-line tool allows UNIX-based services that support Kerberos authentication to use the interoperability features provided by the Kerberos Key Distribution Center (KDC) service in Windows Server 2008 R2.
For examples of how this command can be used, see Examples.
Syntax
Copy Code |
|
ktpass |
Parameters
Parameter |
Description |
||
/out <FileName> |
Specifies the name of the Kerberos version 5 .keytab file to generate.
|
||
/princ <PrincipalName> |
Specifies the principal name in the form user@REALM. |
||
/mapuser <UserAccount> |
Maps the name of the Kerberos principal specified by the princ parameter to the specified local user name. By default, Kerberos principals are not mapped to local user names. |
||
/mapop {add|set} |
Specifies how the mapping attribute is set.
|
||
{-|+}desonly |
DES-only encryption is set by default.
|
||
/in <FileName> |
Specifies the .keytab file from the UNIX host to read. |
||
/pass {Password|*|{-|+}rndpass} |
Specifies a password for the principal user name specified in the princ parameter. Use "*" to prompt for a password. |
||
/minpass |
Sets the minimum length of the random password to 15 characters. |
||
/maxpass |
Sets the maximum length of the random password to 256 characters. |
||
/crypto {DES-CBC-CRC|DES-CBC-MD5|RC4-HMAC-NT|AES256-SHA1|AES128-SHA1|All} |
Sets the encryption type to use.
|
||
/itercount |
Specifies the iteration count that is used for AES encryption. The default is that itercount is ignored for non-AES encryption and set at 4,096 for AES encryption. |
||
/ptype {KRB5_NT_PRINCIPAL|KRB5_NT_SRV_INST|KRB5_NT_SRV_HST} |
Specifies the principal type.
|
||
/kvno <KeyVersionNum> |
Specifies the Key version number. The default value is 1. |
||
/answer {-|+} |
Sets the background answer mode: - Answers reset password prompts automatically with NO. + Answers reset password prompts automatically with YES. |
||
/target |
Sets which domain controller to use. The default is for the domain controller to be detected based on the principal name. If the domain controller name does not resolve, a dialog box will prompt for a valid domain controller. |
||
/rawsalt |
Forces Ktpass to use the rawsalt algorithm when generating the key. This parameter is not needed. |
||
{-|+}dumpsalt |
Shows in the output the MIT salt algorithm being used to generate the key. |
||
{-|+}setupn |
Sets the user principal name (UPN) in addition to the service principal name (SPN). The default is to set both in the .keytab file. |
||
{-|+}setpass <Password> |
Sets the user's password when supplied. If rndpass is used, a random password is generated instead. |
||
/?|/h|/help |
Displays command-line help for Ktpass. |
Remarks
Services running on UNIX systems can be configured with service instance accounts in AD DS. This allows full interoperability. MIT Kerberos clients and servers on UNIX systems can authenticate by using the Windows Server 2008 R2–based Kerberos server, and clients connected to servers running Windows Server 2008 R2 can authenticate to Kerberos services that support the Generic Security Service application programming interface (GSS-API).
Unlike Kerberos principal names, account names in Windows Server 2008 and Windows Server 2008 R2 do not have multiple parts. For this reason, it is not possible to directly create an account from the name Sample/Unix1.example.com. Such a principal instance is created by using the SPN mappings.
To generate a UNIX host .keytab file, use the following steps to map the principal to the account and set the host principal password:
- Use the Active Directory User and Computers snap-in to create a user account for the UNIX service. For example, create an account with the name SampleUnix1.
- Use Ktpass to set up an identity mapping for the user account by typing the following at a command line:
Copy Code |
|
ktpass /princ <ServiceInstance@REALM> /mapuser <AccountName> /pass <Password> /out <Unixmachine.keytab> |
Note |
Replace ServiceInstance@REALM, AccountName, Password, and Unixmachine.keytab with actual values. You cannot map multiple service instances to the same user account. |
- Merge the .keytab file with the /Etc/Krb5.keytab file on the UNIX host as shown in the following example.
Examples
The following example illustrates how to create a Kerberos .keytab file, Unixmachine.keytab, in the current directory for the user someone. (You will merge this file with the Krb5.keytab file on the UNIX host.) The Kerberos .keytab file will be created for AES256-CTS-HMAC-SHA1-96 encryption (as an example of the cryptographic support on the UNIX host) for the general principal type. A random password will be generated without minimum or maximum character length stipulated, and the "reset password prompt" will be (by default) automatically answered with a YES. Because the target domain controller is not specified, the tool detects the one matching the domain and reports the target used.
Copy Code |
|
<drive:\> ktpass /out Unixmachine.keytab /mapuser someone@example.com /princ someone/techgroup.example.com@example.com |