none
Can not logon account after using ktpass to map a SPN to it RRS feed

  • Question

  • On a Windows Server 2008 R2 domain controller, I create a new user named myService.  The password is 1a2b3c4d. 

    Here's the ktpass command I use:

    ktpass.exe /out server.http.keytab /princ HTTP/server.example.com@EXAMPLE.COM /pass * /mapuser myService /ptype KRB5_NT_PRINCIPAL

    When prompted for the password, I use the same password as before: 1a2b3c4d.  The keytab is then written out.  Now I attempt to run notepad as the myService user.

    runas /user:myService@example.com notepad.exe

    And I get the following error:

    Enter the password for myService@example.com:
    Attempting to start notepad.exe as user "myService@example.com" ...
    RUNAS ERROR: Unable to run - notepad.exe
    1326: Logon Failure: unknown user name or bad password.

    Since ktpass set the userPrincipalName AND servicePrincipalName of myService to HTTP/server.example.com@EXAMPLE.COM, I also attempted to run notepad as the SPN and I get the same error.

    Friday, June 18, 2010 10:13 PM

Answers

  • Hi,

    I can reproduce the issue on my Windows Server 2008 R2 computer and find the following KB article:

    939980 You cannot log on to a Windows Server 2003 domain by using a user account after you reset the user account password by using the ktpass.exe tool together with the -pass * parameter
    http://support.microsoft.com/default.aspx?scid=kb;EN-US;939980

    As the hotfix does not apply to Windows Server 2008 R2, I suggest that you do not use "*" when you type the ktpass command. Instead, you may consider typing the password directly in the command. I've performed a test and it works fine.

    Hope the information is helpful.


    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
    Thursday, June 24, 2010 5:58 AM
    Moderator

All replies

  • Hi,

    I can reproduce the issue on my Windows Server 2008 R2 computer and find the following KB article:

    939980 You cannot log on to a Windows Server 2003 domain by using a user account after you reset the user account password by using the ktpass.exe tool together with the -pass * parameter
    http://support.microsoft.com/default.aspx?scid=kb;EN-US;939980

    As the hotfix does not apply to Windows Server 2008 R2, I suggest that you do not use "*" when you type the ktpass command. Instead, you may consider typing the password directly in the command. I've performed a test and it works fine.

    Hope the information is helpful.


    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
    Thursday, June 24, 2010 5:58 AM
    Moderator
  • Hi,

    The bug is still present in windows 2008 and 2008 r2, just confirmed by Microsoft.
    => A fix has not been created, the workaround is not using the "-pass * " argument...

    Kind regards;

    Tuesday, June 11, 2013 2:25 PM