9 Replies Latest reply: Oct 18, 2009 1:06 PM by 843810 RSS

    KTPASS cause invalidated computer account (can't conncet to the domain)?

    843810
      Hi every one,
      I have a question for those who could have been in the same situation :;

      After issuing a ktpass for generating a keytab for my account (JWEBSRV ) which is a
      PRE-EXISTING COMPUTER account (NOT user account )
      ktpass /out HTTP-JWEBSRV .Keytab /pass secret /mapuser JWEBSRV  /princ HTTP/JWEBSRV @MYDOMAIN.LOCAL /crypto RC4-HMAC-NT /ptype KRB5_NT_SRV_HST
      Everything seems ok; I can still see my account in the windows 2003 AD console but
      the account is somehow invalid : the http computer (I tried under Win 2k or WinXP ) cannot be accepted in the domain anymore.

      I have to delete it and rejoin my computer to the domain.

      So using ktpass (w2003 resourcekit) seems to somehow corrupt my computer's account name
      Any idea what I could have be wrong with ?

      The original goal was to set SPNEGO for an java-based HTTP service wich is running on the computer.

      Thanks
        • 1. Re: KTPASS cause invalidated computer account (can't conncet to the domain)
          843810
          Hi all !

          I don't understand : nobody stumbled on that or is nobody working with a AD 2003 domain ?

          Maybe you are all under Unix, good for you ; I'm not that lucky I have to force myself under windows.

          At least could someone give a hint on a alternative to avoid the use of microsoft 's Ktpass on Win2003 ?

          some other binaries or way to create a keytab for a AD 2003 account ??

          Thanks
          • 2. Re: KTPASS cause invalidated computer account (can't conncet to the domain)
            800477
            Why are you using ktpass for a Windows computer account ?

            If it hasn't become apparent to you yet, when you use ktpass, you are changing the password for the account in Active Directory & exporting the generated keytab.

            However ktpass does not change the computer's password, hence that is why it appears to be no longer joined to the domain, because the computer's password and the Active Directory computer account;s password no longer match.

            If you want to register a Service Principal Name (SPN) for you web server, use the setspn command instead.
            • 3. Re: KTPASS cause invalidated computer account (can't conncet to the domain)
              843810
              Well I still miss something then Mister Adler.

              I know you are one of the gurus on this stuff here so may be you could correct me; or at least point me towards the good documentation.

              What I have understood is that to enable Kerberos/SPNEGO I need the keytab of the windows machine on which the app is installed.

              So how can one make a keytab without using ktpass ?
              setspn can't do that !

              I already used setspn to add the HTTP principal to the computer account , sure
              but for the keytab ???

              If ktpass doesn't make it how is it possible to succed ?

              Or I have missed completely something as always ?

              Thanks for your time.
              • 4. Re: KTPASS cause invalidated computer account (can't conncet to the domain)
                843810
                Please can someone tell me where I'm wrong ?

                1-)
                Using SPNEGO with Java means coding and using appropriate java packages.
                That Part let's suppose it's OK as it is not the thing driving mad

                2-)
                With this code OK you need to provide your software with a keytab of the computer hosting your web server with the HTTP/ principal.

                Is that right so far ?

                If yes it means logically that I have to create a keytab for the computer account on the Windows AD machine.

                4-)
                To do that after using setspn to add the principal I use the ktpass command .


                So as the ktpass command break the machine's account I'm dead.

                M adler_steven comes by to warn me that i am a little bit completely idiot to try to use ktpass on machine's account but if this is not a bug why this entry on MS KB :
                http://support.microsoft.com/kb/939980; and could you tell me what else am i supposed to try ?


                and most of all why nobody is able to give some little help on this subject ? nobody ever deals with making SPNEGO with a windows machine ?
                • 5. Re: KTPASS cause invalidated computer account (can't conncet to the domain)
                  843810
                  I have almost the exact same problem.

                  I have always been able to receive a TGT with my client app with keys for my HOST/localcomputer, but now with a ktpass user mapped to my computer name (in order to generate a keytab for use by the server), my KDC no longer recognises the service on my computer name, and the client doesnt work.

                  I don't expect to get any help on this matter either.
                  • 6. Re: KTPASS cause invalidated computer account (can't conncet to the domain)
                    843810
                    Why do you map it to a computer name? Just create a new normal user and map to it. This new user will not be used to login to a computer.
                    • 7. Re: KTPASS cause invalidated computer account (can't conncet to the domain)
                      843810
                      worked out my problem. SPN overlap. my mapped user and my comnputer still shared an SPN. i removed the one, and it works now
                      • 8. Re: KTPASS cause invalidated computer account (can't conncet to the domain)
                        843810
                        Sorry, didn't see your reply.
                        I assume you wrote the official sun article, mr. Wang, thanks for that. I'm surprised because it was your advice :)
                        The article says:
                        For example, if the AD domain name is AD.LOCAL, and you'd like to run a service called myservice on the host machine.ad.local, you can perform these steps on your AD server:
                        
                           1. Create a normal user account (say myservicemachine) inside AD.LOCAL, any password is OK.
                           2. Call "ktpass -princ myservice/machine.ad.local@AD.LOCAL -mapuser myservicemachine@AD.LOCAL -out x.keytab +rndPass" to create a SPN mapping to the user account, and generate a keytab file x.keytab. The password is regenerated with a random value so the password you give in step 1 is useless.
                        i assumed machine.ad.local was my machine that i'm running the service on, and myservicemachine was the new user. And that this mapped the machine to the user. But i see now, it actually maps the service to the user. and obviously i shouldnt be mapping my HOST service.
                        • 9. Re: KTPASS cause invalidated computer account (can't conncet to the domain)
                          843810
                          This [http://spnego.sourceforge.net/spnego_tomcat.html|http://spnego.sourceforge.net/spnego_tomcat.html] project has some good basic documentation for Windows users. It is possible (and simpler) to achieve the same thing as ktpass without using ktpass.

                          Edited by: patdgonzalez@yahoo.com on Oct 18, 2009 10:41 AM

                          Edited by: patdgonzalez@yahoo.com on Oct 18, 2009 11:06 AM