This content has been marked as final. Show 9 replies
Hi all !
I don't understand : nobody stumbled on that or is nobody working with a AD 2003 domain ?
Maybe you are all under Unix, good for you ; I'm not that lucky I have to force myself under windows.
At least could someone give a hint on a alternative to avoid the use of microsoft 's Ktpass on Win2003 ?
some other binaries or way to create a keytab for a AD 2003 account ??
Why are you using ktpass for a Windows computer account ?
If it hasn't become apparent to you yet, when you use ktpass, you are changing the password for the account in Active Directory & exporting the generated keytab.
However ktpass does not change the computer's password, hence that is why it appears to be no longer joined to the domain, because the computer's password and the Active Directory computer account;s password no longer match.
If you want to register a Service Principal Name (SPN) for you web server, use the setspn command instead.
Well I still miss something then Mister Adler.
I know you are one of the gurus on this stuff here so may be you could correct me; or at least point me towards the good documentation.
What I have understood is that to enable Kerberos/SPNEGO I need the keytab of the windows machine on which the app is installed.
So how can one make a keytab without using ktpass ?
setspn can't do that !
I already used setspn to add the HTTP principal to the computer account , sure
but for the keytab ???
If ktpass doesn't make it how is it possible to succed ?
Or I have missed completely something as always ?
Thanks for your time.
Please can someone tell me where I'm wrong ?
Using SPNEGO with Java means coding and using appropriate java packages.
That Part let's suppose it's OK as it is not the thing driving mad
With this code OK you need to provide your software with a keytab of the computer hosting your web server with the HTTP/ principal.
Is that right so far ?
If yes it means logically that I have to create a keytab for the computer account on the Windows AD machine.
To do that after using setspn to add the principal I use the ktpass command .
So as the ktpass command break the machine's account I'm dead.
M adler_steven comes by to warn me that i am a little bit completely idiot to try to use ktpass on machine's account but if this is not a bug why this entry on MS KB :
http://support.microsoft.com/kb/939980; and could you tell me what else am i supposed to try ?
and most of all why nobody is able to give some little help on this subject ? nobody ever deals with making SPNEGO with a windows machine ?
I have almost the exact same problem.
I have always been able to receive a TGT with my client app with keys for my HOST/localcomputer, but now with a ktpass user mapped to my computer name (in order to generate a keytab for use by the server), my KDC no longer recognises the service on my computer name, and the client doesnt work.
I don't expect to get any help on this matter either.
Sorry, didn't see your reply.
I assume you wrote the official sun article, mr. Wang, thanks for that. I'm surprised because it was your advice :)
The article says:
i assumed machine.ad.local was my machine that i'm running the service on, and myservicemachine was the new user. And that this mapped the machine to the user. But i see now, it actually maps the service to the user. and obviously i shouldnt be mapping my HOST service.
For example, if the AD domain name is AD.LOCAL, and you'd like to run a service called myservice on the host machine.ad.local, you can perform these steps on your AD server: 1. Create a normal user account (say myservicemachine) inside AD.LOCAL, any password is OK. 2. Call "ktpass -princ myservice/machine.ad.local@AD.LOCAL -mapuser myservicemachine@AD.LOCAL -out x.keytab +rndPass" to create a SPN mapping to the user account, and generate a keytab file x.keytab. The password is regenerated with a random value so the password you give in step 1 is useless.
This [http://spnego.sourceforge.net/spnego_tomcat.html|http://spnego.sourceforge.net/spnego_tomcat.html] project has some good basic documentation for Windows users. It is possible (and simpler) to achieve the same thing as ktpass without using ktpass.
Edited by: firstname.lastname@example.org on Oct 18, 2009 10:41 AM
Edited by: email@example.com on Oct 18, 2009 11:06 AM