none
Tickets created using the ktpass commands are not displayed

    Question

  • Hi,

    To test the single sign on using various encryption methods we have created various keytab files using the ktpass command.

    Ktpass command is executed for same user [Test1] and different encryption types [RC4-HMAC, AES128-CTS] and multiple keytab files are created.

    C:\Users\Administrator>ktpass -princ host/<hostname>@<active directory domain> -mapuser <domain name>\TestU1 -pass * -crypto AES128-SHA1 -ptype KRB5_NT_PRINCIPAL -out C:\KeyTab\TestAES128.keytab

    and login into windows client (windows 8.1 machine) with the domain user TestU1.

    but in the Kerberos ticket manager tickets are not displayed.

    Please suggest what else need to do thus the tickets will be displayed in the ticket manager.

    Thank You


    Monday, December 12, 2016 3:12 PM

Answers

  • In order to see Kerberos tickets held by the currently logged-in user, you must run the following command as the user in a non-elevated command prompt:    

    klist tickets
    Just as an FYI, this is referred to as the "Kerberos credentials cache", not the "Kerberos ticket manager".  In the Kerberos cache, you will see Kerberos TGT(s) and any Kerberos ST(s) which were received while accessing AD domain resources.  If you only logged onto the computer locally and not into the AD domain then you will not see any tickets in the cache.  The number will show 0.  Being in possession of a keytab is irrelevant to this conversation.  It will not give you any tickets unless you actively used it to pull a Kerberos ticket by invoking the "kinit" command, and I see nowhere written in your post that you've done so.  Also, the "ktpass" command does not pull any Kerberos tickets - that only creates a keytab.  Finally, you must have a C:\Windows\krb5.ini file present and properly filled out and formatted if you want to use the keytab to manually pull a Kerberos ticket.


    Best Regards, Todd Heron | Active Directory Consultant

    • Marked as answer by Programmer1982 Wednesday, December 21, 2016 12:35 PM
    Saturday, December 17, 2016 11:57 AM

All replies

  • Hi,

    C:\Users\Administrator>ktpass -princ host/<hostname>@<active directory domain> -mapuser <domain name>\TestU1 -pass * -crypto AES128-SHA1 -ptype KRB5_NT_PRINCIPAL -out C:\KeyTab\TestAES128.keytab

    and login into windows client (windows 8.1 machine) with the domain user TestU1.

    but in the Kerberos ticket manager tickets are not displayed.

    >>>First, I suggest you try to run this with -crypto all to check.

    Example like below.

    ktpass /princ host/Sample1.contoso.com@CONTOSO.COM /mapuser Sample1 /pass MyPas$w0rd /out Sample1.keytab /crypto all /ptype KRB5_NT_PRINCIPAL /mapop set

    Best Regards,

    Jay


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Thursday, December 15, 2016 5:53 AM
    Moderator
  • Thanks for your response.

    Ktpass command is executed for the user [Test1] and keytab file is created.

    C:\Users\Administrator>ktpass -princ host/<hostname>@<active directory domain> -mapuser <domain name>\TestU1 -pass * -crypto all -ptype KRB5_NT_PRINCIPAL -out C:\KeyTab\TestAES128.keytab

    and login into windows client (windows 8.1 machine) with the domain user TestU1.

    but in the Kerberos ticket manager tickets are not displayed.

    Thank You

    Friday, December 16, 2016 12:25 PM
  • In order to see Kerberos tickets held by the currently logged-in user, you must run the following command as the user in a non-elevated command prompt:    

    klist tickets
    Just as an FYI, this is referred to as the "Kerberos credentials cache", not the "Kerberos ticket manager".  In the Kerberos cache, you will see Kerberos TGT(s) and any Kerberos ST(s) which were received while accessing AD domain resources.  If you only logged onto the computer locally and not into the AD domain then you will not see any tickets in the cache.  The number will show 0.  Being in possession of a keytab is irrelevant to this conversation.  It will not give you any tickets unless you actively used it to pull a Kerberos ticket by invoking the "kinit" command, and I see nowhere written in your post that you've done so.  Also, the "ktpass" command does not pull any Kerberos tickets - that only creates a keytab.  Finally, you must have a C:\Windows\krb5.ini file present and properly filled out and formatted if you want to use the keytab to manually pull a Kerberos ticket.


    Best Regards, Todd Heron | Active Directory Consultant

    • Marked as answer by Programmer1982 Wednesday, December 21, 2016 12:35 PM
    Saturday, December 17, 2016 11:57 AM
  • Thank you very much for your response.

    Please suggest the location from where I can get the sample krb5.ini file.

    and on which machine krb5.ini will be created and kinit command will be executed i.e. windows server machine [where AD DC is configured] or on windows client machine.

    I have created krb5.ini file on Windows server 2012 machine (*1) at location C:\windows\krb5.ini, but while trying to execute kinit command by Administrator user below error occurred:

    Exception: krb_error 0 Could not load configuration file c:\winnt\krb5.ini (The system cannot find t
    he path specified) No error
    KrbException: Could not load configuration file c:\winnt\krb5.ini (The system cannot find the path s
    pecified)
            at sun.security.krb5.Config.<init>(Config.java:143)
            at sun.security.krb5.Config.getInstance(Config.java:75)
            at sun.security.krb5.internal.tools.Kinit.<init>(Kinit.java:137)
            at sun.security.krb5.internal.tools.Kinit.main(Kinit.java:106)
    Caused by: java.io.FileNotFoundException: c:\winnt\krb5.ini (The system cannot find the path specified)

    (*1) krb5.ini is as follows:

    [libdefaults]
     default_realm = domain name
    dns_lookup_kdc = true
    dns_lookup_realm = true
     default_keytab_name = FILE:<keytab file location>
            default_tkt_enctypes = rc4-hmac
            default_tgs_enctypes = rc4-hmac
    [realms]
            domain name = {
       kdc = machine name.domain name
                  default_domain = domain name       
    }

    please help.

    Thank You



    Tuesday, December 20, 2016 8:50 AM
  • Your original question asked about why Kerberos tickets weren't being displayed; that's been answered.  You should mark it as such so that it may help others when searching for the same or similar question.  Your latest concern on where to find a sample krb5.ini file and where to place it are whole new questions, and carries the conversation into topics not reflective by the Subject line of the original question.  I think these should be asked in the form of a new question.  I will pick up on answering those; though only after this has been done.

    Best Regards, Todd Heron | Active Directory Consultant

    Tuesday, December 20, 2016 1:34 PM