{"id":5527,"date":"2019-08-03T21:25:11","date_gmt":"2019-08-04T02:25:11","guid":{"rendered":"https:\/\/www.rushworth.us\/lisa\/?p=5527"},"modified":"2019-09-03T10:13:22","modified_gmt":"2019-09-03T15:13:22","slug":"generating-a-keytab-file-without-domain-admin-permissions","status":"publish","type":"post","link":"https:\/\/www.rushworth.us\/lisa\/?p=5527","title":{"rendered":"Generating a keytab file without domain admin permissions"},"content":{"rendered":"<p>Most of the application owners I encountered wanted someone online with them when they had to change their Kerberos service principal password. Not because I <em>really<\/em> needed to generate the keytab file, but &#8220;just in case&#8221;. A warm fuzzy feeling, good thoughts being sent their way. Whatever. I was up at dark-o-clock, so I&#8217;d generate the keytab the <em>right<\/em> way and we&#8217;d all be asleep in twenty minutes. What&#8217;s the <em>wrong<\/em> way? Well, in a stand-alone AD &#8230; that&#8217;s really just mapping the UPN to the wrong thing or failing to chose the encryption type wisely. But with AD accounts managed by an identify management platform and a notification package registered on the DCs to update said identity management platform when passwords were changed? I joined a lot of emergency calls either at 7AM following their keytab update or half an hour after the change completed. And 7AM was only because the app didn&#8217;t happen to have any 3rd shift users.<\/p>\n<p>Keytab files have a key version number (kvno). Generate keytab and set the account password, you&#8217;ve got a file with KVNO version 5. Except IDM picks up the password change, tweaks up the managed accounts, and the actual AD object msDS-KeyVersionNumber is 6. And auth on your site falls over about half an hour after you complete your change (replication time!). So what&#8217;s the <em>right<\/em> way? <em>Don&#8217;t<\/em> make changes to the account. If you&#8217;re changing the password, change the password. And <em>then<\/em> generate a keytab.<\/p>\n<p>&nbsp;<\/p>\n<p>I&#8217;ve created a sample account, ljrtest, used setspn to set an SPN value for my lisa.sandbox.rushworth.us site, and configured the account to support AES 128 and 256 bit encryption.<\/p>\n<p><a href=\"https:\/\/www.rushworth.us\/lisa\/?attachment_id=5528\" rel=\"attachment wp-att-5528\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-5528\" src=\"https:\/\/www.rushworth.us\/lisa\/wp-content\/uploads\/2019\/09\/AES128.png\" alt=\"\" width=\"400\" height=\"491\" srcset=\"https:\/\/www.rushworth.us\/lisa\/wp-content\/uploads\/2019\/09\/AES128.png 400w, https:\/\/www.rushworth.us\/lisa\/wp-content\/uploads\/2019\/09\/AES128-244x300.png 244w\" sizes=\"auto, (max-width: 400px) 100vw, 400px\" \/><\/a><\/p>\n<p>To generate a keytab file <em>without<\/em> updating the UPN or attempting to set the account password, use:<\/p>\n<pre>ktpass \/out ljrtest.keytab \/princ HTTP\/lisa.sandbox.rushworth.us@rushworth.us -SetUPN \/mapuser ljrtest \/crypto AES256-SHA1 \/ptype KRB5_NT_PRINCIPAL \/pass DevNull -SetPass \/target dc.rushworth.us<\/pre>\n<p>KTPASS is part of the RSAT utilities &#8212; on Win10 with the Oct 2018 update (or newer), this is now a &#8220;Feature on Demand&#8221; and can be added\u00a0 through &#8220;Apps &amp; Features&#8221; by clicking &#8220;optional features&#8221; and selecting the ADS RSAT pack.<\/p>\n<p>There are a few other utilities available &#8212; ktab from the JDK or ktutil on Linux &#8212; if you cannot install the RSAT pack.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Most of the application owners I encountered wanted someone online with them when they had to change their Kerberos service principal password. Not because I really needed to generate the keytab file, but &#8220;just in case&#8221;. A warm fuzzy feeling, good thoughts being sent their way. Whatever. I was up at dark-o-clock, so I&#8217;d generate &hellip;<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[30],"tags":[328,813],"class_list":["post-5527","post","type-post","status-publish","format-standard","hentry","category-system-administration","tag-kerberos","tag-keytab"],"_links":{"self":[{"href":"https:\/\/www.rushworth.us\/lisa\/index.php?rest_route=\/wp\/v2\/posts\/5527","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.rushworth.us\/lisa\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.rushworth.us\/lisa\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.rushworth.us\/lisa\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.rushworth.us\/lisa\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=5527"}],"version-history":[{"count":1,"href":"https:\/\/www.rushworth.us\/lisa\/index.php?rest_route=\/wp\/v2\/posts\/5527\/revisions"}],"predecessor-version":[{"id":5529,"href":"https:\/\/www.rushworth.us\/lisa\/index.php?rest_route=\/wp\/v2\/posts\/5527\/revisions\/5529"}],"wp:attachment":[{"href":"https:\/\/www.rushworth.us\/lisa\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=5527"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.rushworth.us\/lisa\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=5527"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.rushworth.us\/lisa\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=5527"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}