Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

Win2k3 SP1 ktpass problem.

31 views
Skip to first unread message

Srinivas Cheruku

unread,
Sep 8, 2005, 3:21:02 AM9/8/05
to
Hi,

I am using Win2k3 as my KDC.

I was using the keytab extracted from Win2k3 ktpass
and it was working fine with my GSS applications. I
have upgraded to Win2k3 SP1 and now when i use ktpass
of Win2k3 SP1 to extract the keytab and use it with my
GSS application, i am getting error on the GSS server
while accepting the context as "Decrypt integrity
check failed".

Can anyone encountered this problem with the keytab
created with win2k3 sp1 ktpass?
Can anyone help me to fix this issue?

Thanks and Regards,
Srini




______________________________________________________
Click here to donate to the Hurricane Katrina relief effort.
http://store.yahoo.com/redcross-donate3/
________________________________________________
Kerberos mailing list Kerb...@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

Jeffrey Altman

unread,
Sep 8, 2005, 5:38:25 PM9/8/05
to
Are you specifying the correct kvno and are you extracting
the correct enctype? 2K3 SP1 supports the export of RC4-HMAC
keys and that might be the new default.

Jeffrey Altman

--
-----------------
This e-mail account is not read on a regular basis.
Please send private responses to jaltman at mit dot edu

Markus Moeller

unread,
Sep 8, 2005, 6:03:45 PM9/8/05
to
Did you map your principal to a user or computer account ? If I remember
right some salt calculation changed for DES keys if assigned to a computer
account. So an old keytab may not work.

Markus

"Srinivas Cheruku" <srinivas...@yahoo.com> wrote in message
news:200509080721...@web31903.mail.mud.yahoo.com...

Srini

unread,
Sep 9, 2005, 12:59:40 AM9/9/05
to
Hi,

I have used the below command to extract the keytab. You can see that i
have specified the enctype correctly. Please let me know whether i need
to specify any other option to ktpass.

ktpass -mapuser us...@xxx.com -princ test/host.x...@XXX.COM +DesOnly
-pass helloworld -ptype KRB5_NT_PRINCIPAL -crypto DES-CBC-MD5 -out
"c:\krb5.keytab"

I am using the user account and not the computer account.

Thanks,
Srini

Jeffrey Altman

unread,
Sep 9, 2005, 7:29:58 AM9/9/05
to
Is the correct kvno value being written to the keytab entry?

Use the KFW kvno.exe <service-principal> command to find out what
kvno the service principal is using. Then include that value in
the ktpass.exe command line with the -kvno <kvno> command line
option.

Jeffrey Altman

Srini

unread,
Sep 13, 2005, 2:19:11 AM9/13/05
to
Hi,
I have mapped the principal to user account.
Did the salt calculation for DES keys for user account changed from
Win2k3 to Win2k3 SP1?
Can you please let me know or guide me to a link where i can find the
exact salt changes done for DES keys in case of a computer account?

Can anyone tell me the changes done to Win2k3 SP1 ktpass when compared
to Win2k3 ktpass while extracting the keytab, since the keytab
extracted from Win2k3 ktpass is working but the one with Win2k3 SP1
ktpass doesn't?

Thanks,
Srini

Markus Moeller

unread,
Sep 13, 2005, 4:47:48 PM9/13/05
to
Srini,

capture the traffic on port 88 with ethereal and look at the kdc error
reply. If it is a salt issue it will tell you. The other ktpass option you
might want to try is /ptype KRB5_NT_SRV_HST

Regards
Markus


"Srini" <Srinivas...@gmail.com> wrote in message
news:1126592351.8...@f14g2000cwb.googlegroups.com...

Pitrich, Karl

unread,
Sep 20, 2005, 10:05:23 AM9/20/05
to
Hi,

here's my (random) notes and how i do windows/MIT key exchange
successfully:


with recent versions of MIT Kerberos it is not neccessary to specify any
special enc-type as it supports MD4 (which is windows default now)
i'm also not specifying the ptype flag to ktpass.

the principal you specify at the ktpass commandline will be added and/or
overwritten in AD.

as username to ktpass, use the login name only from AD.

match the case of username and realm exactly.

with adsi-edit you can then verify the servicePrincipalName or
userPrincipalName that will be added after invoking ktpass.

using ktpass, the AD User will be automagically flagged as DES Only.


import the keys on linux and verify using:
kinit –k –t /path/to/winkrb5.keytab <name>/<fqdn>@<REALM>
this should issue a ticket without entering a password.


i have encountered some troubles with the ticket serial number, to avoid
them, always change the password of the AD User prior exporting with
ktpass, this ensures a current ticket.

furthermore, ensure that the ktpass utility comes from a resource kit
from the same version as the windows OS itself AND also the same
locale.

HTH,

/ karl

signature.asc

Srinivas Cheruku

unread,
Sep 21, 2005, 7:37:49 AM9/21/05
to
Hi Karl,

Thanks for the information you shared with me.

I have created two user accounts.
Then i have run the ktpass command as show below with appropriate params
for the two new user accounts created
ktpass -mapuser us...@xxx.com -princ sp1acc/host.x...@XXX.COM +DesOnly


-pass helloworld -ptype KRB5_NT_PRINCIPAL -crypto DES-CBC-MD5 -out
"c:\krb5.keytab"

Now, i have two keys in the /etc/krb5.keytab
1. sp1acc/host.x...@XXX.COM - Keytab extracted with Win2k3 SP1 ktpass
2. nosp1acc/host.x...@XXX.COM - Keytab extracted with Win2k3 ktpass

Please find below the results from kinit

bash-2.03$ ./kinit -k -t /etc/krb5.keytab sp1acc/host.x...@XXX.COM
kinit(v5): Preauthentication failed while getting initial credentials
bash-2.03$


bash-2.03$ ./kinit -k -t /etc/krb5.keytab nosp1acc/host.x...@XXX.COM
bash-2.03$ ./klist
Ticket cache: FILE:/tmp/krb5cc_4001
Default principal: nosp1acc/host.x...@XXX.COM

Valid starting Expires Service principal
09/21/05 10:16:55 09/22/05 06:19:16 krbtgt/XXX...@XXX.COM
renew until 09/22/05 10:16:55


Kerberos 4 ticket cache: /tmp/tkt4001
klist: You have no tickets cached
bash-2.03$


As shown above, I am getting error Preauthentication failed when i try
to kinit for sp1acc/host.x...@XXX.COM, which was extracted using
Win2K3 SP1 ktpass.

Then, i have created an user account and changed password, before
running Win2k3 SP1 ktpass on that account. Now when i do a kinit on this
service principal, i am issued a TGT without Preauthentication failed
error.

Can anyone confirm that while using Win2k3 SP1 ktpass, the user account
password should be changed before running ktpass?
Also, i would appreciate if someone can confirm that this is the bug
with Win2k3 SP1 ktpass which needs changing password before running ktpass.

Thanks,
Srini

Pitrich, Karl wrote:

>>------------------------------------------------------------------------

Srinivas Cheruku

unread,
Sep 22, 2005, 1:55:13 AM9/22/05
to
Hi Jeffrey Altman,

As you have told i have checked the kvno.

kvno in keytab = 2
kvno in service ticket = 2
There is no difference with the kvno in keytab as well as in the service
ticket.

Before extracting the keytab using Win2k3 SP1 ktpass, i reset the
password of that user account then extract keytab using ktpass. This
keytab is working fine without any errors.

Can you please let me know whether we need to always reset the password
before running Win2k3 SP1 ktpass?
Is this a bug in MS Win2k3 SP1 ktpass?
Did you observe the same behaviour with the keytab extracted with Win2k3
SP1 ktpass?

Thanks,
Srini

Jeffrey Altman wrote:
> Is the correct kvno value being written to the keytab entry?
>
> Use the KFW kvno.exe <service-principal> command to find out what
> kvno the service principal is using. Then include that value in
> the ktpass.exe command line with the -kvno <kvno> command line
> option.
>
> Jeffrey Altman
>
>

0 new messages