Questions around generating a keytab file

[Kurt Buff]

We're implementing Check Point Harmony (their endpoint protection and
VPN client), and want to use their strong authentication, which uses
Kerberos. We need to generate a keytab file, which we've done, but
it's not working.

Our DCs are 2012R2, with one 2019 machine.

Generating the keytab file seems to have worked.
C:\Windows\System32>ktpass princ HTTP/examp...@EXAMPLE.COM
mapuser checkpoin...@EXAMPLE.COM pass " YEAHRIGHT " -ptype
KRB5_NT_PRINCIPAL out harmony.keytab
Targeting domain controller: DC2.example.com
Successfully mapped HTTP/example.com to checkpoint.harmony.
Password successfully set!
Key created.
Output keytab to harmony.keytab:
Keytab version: 0x502
keysize 57 HTTP/examp...@EXAMPLE.COM ptype 1
(KRB5_NT_PRINCIPAL) vno 10 etype 0x17 (RC4-HMAC) keylength 16
(0x41b5d672b32a34d8800900ee66c42e5d)

However, we're getting these two errors repeating in the client logs
while testing the configuration:

2021-11-30 15:10:22.853 t:7388 KERBEROS_C [error]
[KERBEROS_CLIENT(KerberosLogger_Critical)] : GSS-API error
initializing security context: Miscellaneous failure []

2021-11-30 15:10:22.853 t:7388 KERBEROS_C [error]
[KERBEROS_CLIENT(KerberosLogger_Critical)] : GSS-API error
initializing security context: The encryption type requested is not
supported by the KDC.

We're requesting the logs from the cloud service from Check Point, but
haven't received them yet.

On all of the DCs, I've checked
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Kerberos\Parameters\SupportedEncryptionTypes,
and on the 2012R2 boxes the value is 0x7ffffffc, but on the 2019 box
the Kerberos key is missing.

The Harmony client is currently configured to use RC4-HMAC. However,
one of our GPOs fo our workstations disables RC4_HMAC_MD5. The Harmony
client does support AES128-CTS, AES128-CTS-HMAC--SHA1-96, AES256-CTS
and AES256-CTS-HMAC-SHA1-96. We're working through generating
different installs using the various ciphers, with little success -
but we haven't finished with all of them

We've reviewed these articles, but can't seem to find further answers,
even with more STFW..
https://docs.microsoft.com/en-us/answers/questions/305816/error-when-trying-to-generate-kerberos-keytab-file.html
https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/ktpass
https://docs.microsoft.com/en-us/troubleshoot/windows-server/windows-security/kerberos-protocol-registry-kdc-configuration-keys

Check Point support hasn't been super helpful. Can anyone

If anyone can point me in the direction of troubleshooting docs for
KRB on Windows, that would be great. At this point I'm considering
breaking out wireshark to examine traffic.

Thanks,
Kurt

[Michael B. Smith]

I went gray working through this about 5 years ago.

 

Here were my notes from a working configuration:

 

OK, I executed the following commands:

setspn -S HTTP/ssost...@REALM.CONTOSO.COM casuser.kauth2

setspn -S HTTP/ssostaging.rea...@REALM.CONTOSO.COM casuser.kauth2

ktpass.exe /out casuser.kauth2.keytab /princ HTTP/ssostaging.rea...@REALM.CONTOSO.COM /mapuser casuser.kauth2 /pass "6Sw]kZ~+eruFbmy" /ptype KRB5_NT_PRINCIPAL /crypto AES256-SHA1 /kvno 0 /target dc4.realm.contoso.com

After you update your “stuff” your kinit should look like this:

kinit -k -t casuser.kauth2.keytab HTTP/ssostaging.rea...@REALM.CONTOSO.COM "6Sw]kZ~+eruFbmy"

--

You received this message because you are subscribed to the Google Groups "ntsysadmin" group.

To unsubscribe from this group and stop receiving emails from it, send an email to ntsysadmin+...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/ntsysadmin/CADy1Ce4D8Qmssh-sxdfq7i5dCmpm-heF61_1WB9MR-4E-EtmZQ%40mail.gmail.com.

[Kurt Buff]

Thanks for this. If we have further problems I'll use your example as a tutorial.

Questions regarding the keytab file:

     - We generated it on one of the DCs, and it landed in C:\Windows\System32. Do we place that file on all of the DCs? If yes, that seems like a fairly manual process. I'll have to remember to update the DCs when I replace the 2012R2 box.

     - Also, do you know what happens if the keytab file is deleted?

Are there any more comprehensive docs for KRB in general?

Regardless, I think I solved my problem:

To view this discussion on the web visit https://groups.google.com/d/msgid/ntsysadmin/96fdcc67172749a39ea56533b357447c%40smithcons.com.

[Michael B. Smith]

Yes, the keytab needs to go on all DCs. It is a manual process (this is why you use AD and not MIT Kerberos)!

 

If the keytab gets deleted then you can’t open new authenticated connections.

 

I used the MIT Kerberos documents extensively and the Java GSSAPI/spnego documents.

 

From: ntsys...@googlegroups.com <ntsys...@googlegroups.com> On Behalf Of Kurt Buff
Sent: Wednesday, December 1, 2021 5:50 PM
To: ntsys...@googlegroups.com
Subject: Re: [ntsysadmin] Questions around generating a keytab file

 

Thanks for this. If we have further problems I'll use your example as a tutorial.

 

Questions regarding the keytab file:

     - We generated it on one of the DCs, and it landed in C:\Windows\System32. Do we place that file on all of the DCs? If yes, that seems like a fairly manual process. I'll have to remember to update the DCs when I replace the 2012R2 box.

     - Also, do you know what happens if the keytab file is deleted?

 

Are there any more comprehensive docs for KRB in general?

 

Regardless, I think I solved my problem:

 

 

To view this discussion on the web visit https://groups.google.com/d/msgid/ntsysadmin/CADy1Ce7vopQdShJvQpKyXdEa8%2BqXFy-JpWWGHT9Xm2E0sjUA2w%40mail.gmail.com.

[Kurt Buff]

Thank you for those answers. It never stops - the firehose of IT reading just never stops.

Kurt

To view this discussion on the web visit https://groups.google.com/d/msgid/ntsysadmin/c03d7be79f3143ca90de7930e425f88d%40smithcons.com.