Howto : Using ktab to generate a Kerberos Ticket File without spn.exe or ktpass.exe

  • Document ID:7006039
  • Creation Date:19-May-2010
  • Modified Date:26-Apr-2012
    • Micro Focus Products:
      Access Manager (NAM)

Environment

Novell Access Manager 3.1 Linux Novell Identity Server
Novell Access Manager 3.1 Windows Novell Identity Server

Situation

Using ktab to generate a Kerberos Ticket File without spn.exe or ktpass.exe


In this example, the 2008 Active Directory Domain is domain.com, the Kerberos Rhelm is DOMAIN.COM, the Domain Controller is srvdc, the iDP server name is srvidp, and the iDP URL is idp.domain.com. The workstation performing these actions only needs to be able to communicate with AD and the KDC, it does not have to be a member of the domain.


1) Create the user srvidp in Active Directory with the userPrincipalName of HTTP/idp.domain.com @DOMAIN.COM, the pre-Windows 2000 username of srvidp, and the desired password (in this example it is idpuserpassword).

2) Using the Windows Server 2008 Active Directory Users and Computers console, enable Advanced Features under the View menu.

3) Under the properties of the srvidp user, select the Attribute Editor tab.

4) Double click the servicePrincipalName attribute to edit.

5) Add HTTP/idp.domain.com and HTTP/idp.domain.com@DOMAIN.COM.

6) Install Sun JRE SE and make the bin directory part of the path (if this worksation is part of the domain, the klist executable in this same directory can also list issued Kerberos Tickets to the domain workstation and logged in domain user).

7) Create a C:\WINDOWS\krb5.ini (Windows) or /etc/krb5.conf (Linux) file with the following content:


[libdefaults]

    default_realm = DOMAIN.COM

    default_tkt_enctypes = rc4-hmac des3-cbc-sha1 des-cbc-crc des-cbc-md5

    default_tgs_enctypes = rc4-hmac des3-cbc-sha1 des-cbc-crc des-cbc-md5

    permitted_enctypes = rc4-hmac des3-cbc-sha1 des-cbc-crc des-cbc-md5

 

[realms]

    DOMAIN.COM = {

        kdc = srvdc.domain.com

        admin_server = srvdc.domain.com

        default_domain = domain.com

    }

 

[domain_realms]

    domain.com = DOMAIN.COM

    .domain.com = DOMAIN.COM


8) From a command prompt, execute ktab -a HTTP/idp.domain.com idpuserpassword -k nidpkey.keytab

9) Validation of the content is made by executing ktab -l -k nidpkey.keytab which should output something similar to:

Keytab name: C:\nidpkey.keytab

KVNO    Principal

---------------------------------------------------------

  1     HTTP/idp.domain.com@DOMAIN.COM

  1     HTTP/idp.domain.com@DOMAIN.COM

  1     HTTP/idp.domain.com@DOMAIN.COM

  1     HTTP/idp.domain.com@DOMAIN.COM


Each line represents a key for the desired encryption as defined in the krb5 file (rc4-hmac, des3-cdc-sha1, etc).

Additional Information

Thanks to Ben Walter, Directory Concepts for providing this info.