none
ktpass and UPN RRS feed

  • Question

  • Hi all,

    sorry for bad englisch . I have trouble with ktpass and upn . After I run command :

    PS C:\Users\Administrator> ktpass -princ HTTP/computer.domain.name@domain.name -mapuser ts\domainuser -pass "password" -crypto RC4-HMAC-NT -ptype KRB5_NT_PRINCIPAL -out c:\krb5.keytab

    the upn is changed to HTTP/computer.domain.name ....

    the DC is windows 2008R2 native level....

    thanx


    Falcon


    • Edited by Marek G_ Tuesday, March 17, 2015 8:50 PM
    • Moved by Amy Wang_Moderator Wednesday, March 18, 2015 9:55 AM DS related from Security forum
    Tuesday, March 17, 2015 3:59 PM

Answers

  • Hi,

    As far as I know, KTPass will change the UPN to match the SPN apparently because of the key generation salt value. This is by design. And ktpass has switches that allow the UPN to not be altered on the service account during mapping. We could use below command to generate a keytab file without modifying the UPN of the service account:

    add “–setupn” at the end of that command

    However, you should note that this does not guarantee that your application will function properly. As our best practice, we need to do the test in environment.

    Regards.


    Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com

    Monday, March 30, 2015 1:35 AM
    Moderator

All replies

  • Hi,

    Thanks for your post.

    According to the MS article:

    The /princ parameter is not evaluated by Ktpass and is used as provided. There is no check to see if the parameter matches the exact case of the userPrincipalName attribute value when generating the Keytab file. Case sensitive Kerberos distributions using this Keytab file might have problems when there is no exact case match and could fail during pre-authentication. Check and retrieve the correct userPrincipalName attribute value from a LDIFDE export file.

    https://technet.microsoft.com/en-us/library/cc753771.aspx

    Regards.


    Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com

    Thursday, March 19, 2015 2:11 AM
    Moderator
  • thank you for answer . but I do not have trouble with keytab , but after i run command the commaned overwrite upn user ....

    Falcon

    Tuesday, March 24, 2015 1:34 PM
  • Hi,

    As far as I know, KTPass will change the UPN to match the SPN apparently because of the key generation salt value. This is by design. And ktpass has switches that allow the UPN to not be altered on the service account during mapping. We could use below command to generate a keytab file without modifying the UPN of the service account:

    add “–setupn” at the end of that command

    However, you should note that this does not guarantee that your application will function properly. As our best practice, we need to do the test in environment.

    Regards.


    Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com

    Monday, March 30, 2015 1:35 AM
    Moderator
  • Hi,

    Any update about the issue?

    Regards.


    Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com

    Tuesday, April 7, 2015 5:58 AM
    Moderator