error when trying to generate kerberos keytab file using ktpass

mac9873 1 Reputation point
2021-03-09T12:09:26.83+00:00

hi We are running windows server 2019 standard V 10.0 (17763) I have completed this exact same procedure before without any issues on different domain controllers but all the same configuration and setup but today i am having an issue generating the kerberos keytab file on windows server. This is the command i use ktpass -princ HTTP/proxy.org@.ORG -mapuser <user login name>@.org -pass <password> -crypto all -ptype KRB5_NT_PRINCIPAL -out fpx.keytab I get this error Targeting domain controller: ???.org Successfully mapped HTTP/proxy.org to <user login name>. Password successfully set! WARNING: pType and account type do not match. This might cause problems. Key created. The keytab file does not get created. I have treble checked the AD user on the DC , removed it re added it, checked the password is correct , all is fine. I have treble checked all the user names are correct, the domain names and the REALM and have now hit a brick wall. I have checked with our support team that the DC has the exact same configuration as previous DC's that i have successfully generated the keytab files so i am not doing anything different. The Domain controller can resolve the proxy name so DNS is fine Can you help please many thanks mac

Windows Server Security
Windows Server Security
Windows Server: A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.Security: The precautions taken to guard against crime, attack, sabotage, espionage, or another threat.
1,781 questions
{count} votes

1 answer

Sort by: Most helpful
  1. Daisy Zhou 21,276 Reputation points Microsoft Vendor
    2021-03-10T02:51:44.697+00:00

    Hello @mac9873 ,

    Thank you for posting here.

    I have done a test in my lab.

    1.Create an account chao in a.local domain.

    2.Run command:
    ktpass /princ host/chao.a.local@A.LOCAL /mapuser chao /pass Zcl1234qwer!!@@ /out machine.keytab /crypto all /ptype KRB5_NT_PRINCIPAL /mapop set
    76076-key1.png

    3.Run command:
    ktpass /princ host/chao.a.local@A.LOCAL /mapuser chao /pass Zcl1234qwer!!@@ /out machine.keytab /crypto all /ptype KRB5_NT_PRINCIPAL -out fpx.keytab
    75959-key2.png

    76077-key3.png

    Please check carefully if the command you are running is correct or not.

    For more information baout ktpass, please refer to the link below.
    ktpass
    https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/ktpass

    Hope the information above is helpful.

    Should you have any question or concern, please feel free to let us know.

    Best Regards,
    Daisy Zhou

    0 comments No comments