Creating keytabs and service principal names

kerberosspn

I'm trying to set up a keytab for a Java server to support Kerberos authentication on a Windows network. I'm struggling to get it working even at the level of the command line tools, haven't even got as far as the server setup yet! My plan just now is to try and get it working on my development PC as I have development work and debugging to do. So my goal is to have the Java server running on my PC, and the client running on the same machine connecting to it.

Here's what I've done so far, I'm really blundering my way through so I could be doing all kinds of wrong stuff!

Created a service principal name

I got one of our domain administrators to run this command:

setspn -A TEST/pc-name.mydomain.com my-user-name

This appeared to complete successfully and I can list this SPN successfully with

setspn -L my-user-name

Created a keytab file

I created a keytab with this command:

ktpass /princ TEST/pc-name.mydomain.com@MYDOMAIN.COM /pass <my-password> /ptype KRB5_NT_SRV_HST /out <keytab-filename>

This appears to create a keytab successfully, although it does warn that ptype and account type do not match (but whatever I choose for ptype, I get the same warning). If I run this command:

klist -k file:/<keytab-filename>

Then it lists the SPN I'd expect, namely TEST/pc-name.mydomain.com@MYDOMAIN.COM

The problem!

Now I want to check that the keytab works for this SPN, so I'm running

kinit -t <keytab-filename> TEST/pc-name.mydomain.com@MYDOMAIN.COM

I then get an error "krb_error 6 Client not found in Kerberos database".

What am I doing wrong?

Best Answer

I'm not quite sure whether my-user-name refers to a computer object or a user object in active directory; I'll assume it's a user object. In that case, I think setspn is not appropriate; this is meant to modify the SPNs of existing machine accounts. For a user account, I'm skeptical that SRV_HST is right.

Apparently, support for SPNs associated with user objects is somewhat limited; I read somewhere that this is really restricted to one user. I also couldn't manage to get your ktpass invocation to work for me, as it insisted on a) specifying a user account (through mapuser) that should be associated with the SPN, and b) setting the SPN password. I think the latter is unavoidable to create a keytab through ktpass.

I managed to create a keytab in the "standard way", i.e. by setting up a dedicated user account and associating it with an SPN:

ktpass /princ TEST/host@DOMAIN /mapuser user@DOMAIN /pass *  /out foo.keytab /ptype KRB5_NT_PRINCIPAL

That operation (expectly) broke login for the user, however, I was then able to kinit with

 kinit -k -t /tmp/foo.keytab  TEST/host@DOMAIN

Related Solutions

Create SPN with setspn.exe – Insufficient access rights

Are you running from an elevated command prompt (right-click, Run as Administrator)? If not, that would explain the error.

Help using setspn and ktpass

(this question is a bit old, but my analysis might help others)

You seem to be missing some understanding and therefore not executing the commands correctly. I'm assuming that your KDC is actually an Active Directory KDC. This is not entirely clear from your description.

Firstly, in active directory kerberos (contrary to standard MIT/Heimdal kerberos) a Service Principal Name (SPN - a service running a machine) needs to be connected to a User Principal Name (UPN, a user siting behind a machine). Hence the mapping.

setspn will add the service principal name to a user by adding the ldap attribute to the cn of the user

ktpass will output your key tab and rewrite the UserPrincipalName to username/fully.qualified.domainname@REALM .

By doing a kinit -k -t key.tab principal a lookup will happen in both the key.tab file and active directory UPN on the principal. If it cannot find the principal in the key tab it will give an error like "Key table entry not found while getting initial credentials". If it cannot be found in the directory it will give "Client not found in Kerberos database while getting initial credentials".

Now to your issue at hand. It seems that you are missing the /princ parameter to ktpass. This is required to actually get the principal in the key tab file and get the mapping right. I wonder what a klist -k keytab gives.

so your lines should be something like (including putting the REALM at the right location:

setspn HTTP/ubuntu-ad.wad.eng.hytrust.com aulfeldt

ktpass /princ HTTP/ubuntu-ad.wad.eng.hytrust.com@WAD.ENG.HYTRUST.COM /out tomcat.keytab /mapuser aulfeldt /crypto ALL /pass * /ptype KRB5_NT_PRINCIPAL

Extra: if you are using SAMBA 4 with the samba-tool to do this you will need to manually change userPrincipalName to (in this case): HTTP/ubuntu-ad.wad.eng.hytrust.com@WAD.ENG.HYTRUST.COM this is because the key tab generation of samba does not update the UPN and hence you will get an error when doing a lookup.

On a side note: an active directory machine name is COMPUTER$ (mark the $). Your's seems off.