How can I check if the keytab file includes all SPNs

ge ji 21 Reputation points
2021-07-21T07:57:20.13+00:00

I have a keytab file created by ktpass command, in the format as below
ktpass /princ host/User1.contoso.com@Company portal .COM /mapuser User1 /pass MyPas$w0rd /out machine.keytab

Now how can I check the output file "machine.keytab" include SPN "host/User1.contoso.com"?

Some people say to use command KTUTIL, but when to download it?

Active Directory
Active Directory
A set of directory-based technologies included in Windows Server.
6,565 questions
{count} votes

Accepted answer
  1. Pierre Audonnet - MSFT 10,186 Reputation points Microsoft Employee
    2021-07-22T01:42:33.027+00:00

    KTPASS.EXE can display this.

    ktpass /in <your keytab file>  
    

    KTPASS.EXE is available on a system as long as the Remote Administration Server Tools for Active Directory Domain Services are installed.

    However, note that keytabs do not contains SPN. SPN are set on the account in AD. Keytabs on the other hand will have the UPN of the account as well as the encryption keys.

    I highly recommend you read the following article: https://learn.microsoft.com/en-us/archive/blogs/pie/all-you-need-to-know-about-keytab-files

    0 comments No comments

4 additional answers

Sort by: Most helpful
  1. Daisy Zhou 24,046 Reputation points Microsoft Vendor
    2021-07-22T03:36:29.677+00:00

    Hello @ge ji ,

    Thank you for posting here.

    Hope the information provided by piaudonn above is helpful to you.

    Q: Some people say to use command KTUTIL, but when to download it?

    A: Based on my research, on a Windows machine, you can use ktpass.exe and on Ubuntu Linux, you can use ktutil.

    So ktutil is a utility on Ubuntu and Linux machine.

    Creating Kerberos Keytab Files Compatible with Active Directory
    http://www.itadmintools.com/2011/07/creating-kerberos-keytab-files.html

    Please note: Information posted in the given link is hosted by a third party. Microsoft does not guarantee the accuracy and effectiveness of information.

    Hope the information above is helpful to you.

    Should you have any question or concern, please feel free to let us know.

    Best Regards,
    Daisy Zhou

    ============================================

    If the Answer is helpful, please click "Accept Answer" and upvote it.

    0 comments No comments

  2. ge ji 21 Reputation points
    2021-07-28T06:06:34.187+00:00

    Thanks for Daisy's post.
    My key question was what command (and switch) to show a keytab file's SPN included.
    I dont have / want to launch linux / KTutil to show SPNs inside a keytab file.

    Daisy please specify the windows command syntax KTPASS -?? to show SPN.
    I used KTPASS to create the keytab file.
    Thx


  3. ge ji 21 Reputation points
    2021-07-31T07:03:30.35+00:00

    Thanks all, my question is solved.
    I run command as domain admin on domain.local
    ktpass /princ host/host1.domain.local@keyman .local /mapuser User1 /pass MyPass /out filename.keytab
    ktpass /princ host/host2.domain.local@keyman .local /mapuser User1 /pass MyPass /out filename.keytab /in filename.keytab

    And now I run
    ktpass /in filename.keytab will list 2 SPNs.

    Maybe another question, we have trusted domain2, can I add a SPN pointing of domain2 (different realm)?
    I still run command as domain admin on domain.local, but just read only to domain2.local
    ktpass /princ host/host3.domain2.local@domain2.local /mapuser User1 /pass MyPass /out filename.keytab /in filename.keytab
    Does this result keytab make sense?


  4. Pierre Audonnet - MSFT 10,186 Reputation points Microsoft Employee
    2021-08-03T13:02:49.42+00:00

    For the sake of KTPASS syntax... This is what could be done...

    Let's say you have the following user:

    repadmin /showattr SECDC01.piesec.ca "CN=geji,CN=Users,DC=piesec,DC=ca" /atts:userPrincipalName,serviceprincipalname,sAMAccountName,msDS-KeyVersionNumber
    DN: CN=geji,CN=Users,DC=piesec,DC=ca
        1> sAMAccountName: geji
        1> userPrincipalName: geji-upn@piesec.ca
        2> servicePrincipalName: host/spn2@piesec.ca; host/spn1@piesec.ca
        1> msDS-KeyVersionNumber: 2
    

    That would be an odd way for the SPN format, but eh, why not... You could create a keytab that has both of these SPNs listed as principals (although as discussed in this thread, you will not be able to use those keytabs to do a KINIT because the keytabs will in that case not contain the actual user account UPN). Oh and AES uses salt... So you'd have to overwrite the salt since it is derived from the UPN you provide in /princ... Salt is domain FQDN followed by the first part f the user's UPN. Lots of tricks just for the sake of making it work...

    ktpass /out geji.keytab /princ host/spn1@piesec.ca -SetUPN /rawsalt piesec.cageji-upn /mapuser P\geji /crypto AES256-SHA1 /pass MyPass -SetPass
    Targeting domain controller: SECDC01.piesec.ca
    Successfully mapped host/spn1 to geji.
    WARNING: pType and account type do not match. This might cause problems.
    Key created.
    Output keytab to geji.keytab:
    Keytab version: 0x502
    keysize 70 host/spn1@piesec.ca ptype 0 (KRB5_NT_UNKNOWN) vno 2 etype 0x12 (AES256-SHA1) keylength 32 (0xf55444beb1501ff719c96e28c6cfc9776ab4dea73da8ad57148b7322a86759ed)
    

    Then:

    ktpass /in geji.keytab /out geji.keytab /princ host/spn2@piesec.ca -SetUPN /rawsalt piesec.cageji-upn /mapuser P\geji /crypto AES256-SHA1 /pass MyPass -SetPass
    Existing keytab:
    
    Keytab version: 0x502
    keysize 70 host/spn1@piesec.ca ptype 0 (KRB5_NT_UNKNOWN) vno 2 etype 0x12 (AES256-SHA1) keylength 32 (0xf55444beb1501ff719c96e28c6cfc9776ab4dea73da8ad57148b7322a86759ed)
    Targeting domain controller: SECDC01.piesec.ca
    Successfully mapped host/spn2 to geji.
    WARNING: pType and account type do not match. This might cause problems.
    Key created.
    Output keytab to geji.keytab:
    Keytab version: 0x502
    keysize 70 host/spn1@piesec.ca ptype 0 (KRB5_NT_UNKNOWN) vno 2 etype 0x12 (AES256-SHA1) keylength 32 (0xf55444beb1501ff719c96e28c6cfc9776ab4dea73da8ad57148b7322a86759ed)
    keysize 70 host/spn2@piesec.ca ptype 0 (KRB5_NT_UNKNOWN) vno 2 etype 0x12 (AES256-SHA1) keylength 32 (0xf55444beb1501ff719c96e28c6cfc9776ab4dea73da8ad57148b7322a86759ed)
    

    That command does not require any permission in AD else than being a regular user. You are not setting the UPN (thanks to the -SetUPN) nor resetting the password (thanks to the -SetPass). That way you also have the right kvno on the keytab.

    Would that result into a working keytab? I don't know. Likely not.

    • For TGT nope it will not work as the real user's UPN will in that case not be written.
    • But since it seems that the keytabs could be use at the discretion of the application, check with the dev of that one I suppose...

    This is just a mental exercice as this command (although correct from a syntax's perspective) is not a real case.

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.