question

geji-3740 avatar image
0 Votes"
geji-3740 asked piaudonn edited

How can I check if the keytab file includes all SPNs

I have a keytab file created by ktpass command, in the format as below
ktpass /princ host/User1.contoso.com@CONTOSO.COM /mapuser User1 /pass MyPas$w0rd /out machine.keytab

Now how can I check the output file "machine.keytab" include SPN "host/User1.contoso.com"?

Some people say to use command KTUTIL, but when to download it?

windows-active-directory
· 2
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hello @geji-3740,
How are things going on your end? Please keep me posted on this issue.
If you have any further questions or concerns about this question, please let us know.
I appreciate your time and efforts.

Best Regards,
Daisy Zhou

============================================
If the Answer is helpful, please click "Accept Answer" and upvote it.

0 Votes 0 ·

Hello @geji-3740,
I just want to confirm the current situations.
Please feel free to let us know if you need further assistance.


Best Regards,
Daisy Zhou

============================================
If the Answer is helpful, please click "Accept Answer" and upvote it.

0 Votes 0 ·
piaudonn avatar image
0 Votes"
piaudonn answered piaudonn edited

KTPASS.EXE can display this.

 ktpass /in <your keytab file>

KTPASS.EXE is available on a system as long as the Remote Administration Server Tools for Active Directory Domain Services are installed.

However, note that keytabs do not contains SPN. SPN are set on the account in AD. Keytabs on the other hand will have the UPN of the account as well as the encryption keys.

I highly recommend you read the following article: https://docs.microsoft.com/en-us/archive/blogs/pie/all-you-need-to-know-about-keytab-files

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

DaisyZhou-MSFT avatar image
0 Votes"
DaisyZhou-MSFT answered

Hello @geji-3740,

Thank you for posting here.

Hope the information provided by piaudonn above is helpful to you.

Q: Some people say to use command KTUTIL, but when to download it?

A: Based on my research, on a Windows machine, you can use ktpass.exe and on Ubuntu Linux, you can use ktutil.

So ktutil is a utility on Ubuntu and Linux machine.

Creating Kerberos Keytab Files Compatible with Active Directory
http://www.itadmintools.com/2011/07/creating-kerberos-keytab-files.html


Please note: Information posted in the given link is hosted by a third party. Microsoft does not guarantee the accuracy and effectiveness of information.


Hope the information above is helpful to you.

Should you have any question or concern, please feel free to let us know.


Best Regards,
Daisy Zhou

============================================
If the Answer is helpful, please click "Accept Answer" and upvote it.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

geji-3740 avatar image
0 Votes"
geji-3740 answered piaudonn commented

Thanks for Daisy's post.
My key question was what command (and switch) to show a keytab file's SPN included.
I dont have / want to launch linux / KTutil to show SPNs inside a keytab file.

Daisy please specify the windows command syntax KTPASS -?? to show SPN.
I used KTPASS to create the keytab file.
Thx

· 10
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

I answered this already. You can use KTPASS to READ a keytab too.
And keytabs do not contain SPN. They contain UPN, key version, and the actual key. Please read my answer in this thread.

1 Vote 1 ·

Hello @piaudonn,

It is too strong a statement to say that "keytabs do not contain SPN". The de facto documentation of the keytab format (http://www.ioplex.com/utilities/keytab.txt) says:

Following the realm is the components array that represents the name of
the principal. The text of these components may be joined with slashs
to construct the typical SPN representation. For example, the service
principal HTTP/www.foo.net@FOO.NET would consist of name components
"HTTP" followed by "www.foo.net".

Following the components array is the 32 bit name_type (e.g. 1 is
KRB5_NT_PRINCIPAL, 2 is KRB5_NT_SRV_INST, 5 is KRB5_NT_UID, etc). In
practice the name_type is almost certainly 1 meaning KRB5_NT_PRINCIPAL.

Both SPNs and UPNs are examples of name type KRB5_NT_PRINCIPAL.

Gary

0 Votes 0 ·

But they do not (they contain a UPN). What would be the value of even having SPN in a keytab?
The confusing part is that many product documentation make the UPN with an SPN format (with a service/...). But the SPN has to be known by the client and by the KDC. The app care about decrypting tickets.

0 Votes 0 ·
Show more comments

Hello @geji-3740,

Thank you for your update.

I will test it in my lab. If there is any update I will reply here.

Thank you for your understanding and support.

Should you have any question or concern, please feel free to let us know.


Best Regards,
Daisy Zhou

============================================
If the Answer is helpful, please click "Accept Answer" and upvote it.

0 Votes 0 ·
geji-3740 avatar image
0 Votes"
geji-3740 answered piaudonn commented

Thanks all, my question is solved.
I run command as domain admin on domain.local
ktpass /princ host/host1.domain.local@domain.local /mapuser User1 /pass MyPass /out filename.keytab
ktpass /princ host/host2.domain.local@domain.local /mapuser User1 /pass MyPass /out filename.keytab /in filename.keytab

And now I run
ktpass /in filename.keytab will list 2 SPNs.

Maybe another question, we have trusted domain2, can I add a SPN pointing of domain2 (different realm)?
I still run command as domain admin on domain.local, but just read only to domain2.local
ktpass /princ host/host3.domain2.local@domain2.local /mapuser User1 /pass MyPass /out filename.keytab /in filename.keytab
Does this result keytab make sense?

· 3
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

First of - brillant! I didn't know that we could combine /in and /out to combine keytabs.

Then they are few challenges with these commands.

It all come down to what you need on the keytabs. KTPASS write the UPN of the use in the keytab as a principal. That way the keytab can be used to obatin a TGT with KINIT. But as @GaryNebbett pointed out, if you have an application that needs to browse a keytab to find a secret based on the principal in an SPN format, then you might need that "SPN" like principal in the keytabs. So homework for you. Check what your application needs. Is that to obtain TGT or to decrypt service tickets (or both)? And if your app needs to decrypt ticket, does the app really needs the SPN of the service in the keytab? It seems to be at the discretion of the implementation.

Running the two commands you ran woul actually do more than what you did.

The first command is alright. Although you don't need to be a domain admin to run it... (cf the article I pointed out earlier).
The second command is puttings keys in the keytabs but it also changes the UPN of the user. It might create issues. Also, it changes the password (even if you provide the same value). As a result the key version will not be the same in the keytabs.

keysize 71 host/host1.domain.local@domain.local ptype 0 (KRB5_NT_UNKNOWN) vno 4 etype 0x17 (RC4-HMAC) keylength 16 (0x959e1a1bba5fffb7bbabd80b4d03a24e)
keysize 71 host/host2.domain.local@domain.local ptype 0 (KRB5_NT_UNKNOWN) vno 5 etype 0x17 (RC4-HMAC) keylength 16 (0x959e1a1bba5fffb7bbabd80b4d03a24e)

0 Votes 0 ·

Are you fine with that? If so that's odd that the app would need the SPN in the keytabs but not care about the key version...
Are you fine with having the UPN of the user in AD set with the latest version provided? (you don't have to, you tell ktpass not to change the mapped user UPN)
Also, it would be better to specify the crypto and use only AES256.

0 Votes 0 ·

Although if you do use AES256, since the principal here is supposed to be the UPN for the KTPASS command, it would generate a different hash (as AES256 use a salt derived from the user's UPN - unless you overide that too? but that is starting to be a very odd keytab then (with fake UPN and overriden salt...)

0 Votes 0 ·
piaudonn avatar image
0 Votes"
piaudonn answered piaudonn edited

For the sake of KTPASS syntax... This is what could be done...

Let's say you have the following user:

 repadmin /showattr SECDC01.piesec.ca "CN=geji,CN=Users,DC=piesec,DC=ca" /atts:userPrincipalName,serviceprincipalname,sAMAccountName,msDS-KeyVersionNumber
 DN: CN=geji,CN=Users,DC=piesec,DC=ca
     1> sAMAccountName: geji
     1> userPrincipalName: geji-upn@piesec.ca
     2> servicePrincipalName: host/spn2@piesec.ca; host/spn1@piesec.ca
     1> msDS-KeyVersionNumber: 2

That would be an odd way for the SPN format, but eh, why not... You could create a keytab that has both of these SPNs listed as principals (although as discussed in this thread, you will not be able to use those keytabs to do a KINIT because the keytabs will in that case not contain the actual user account UPN). Oh and AES uses salt... So you'd have to overwrite the salt since it is derived from the UPN you provide in /princ... Salt is domain FQDN followed by the first part f the user's UPN. Lots of tricks just for the sake of making it work...

 ktpass /out geji.keytab /princ host/spn1@piesec.ca -SetUPN /rawsalt piesec.cageji-upn /mapuser P\geji /crypto AES256-SHA1 /pass MyPass -SetPass
 Targeting domain controller: SECDC01.piesec.ca
 Successfully mapped host/spn1 to geji.
 WARNING: pType and account type do not match. This might cause problems.
 Key created.
 Output keytab to geji.keytab:
 Keytab version: 0x502
 keysize 70 host/spn1@piesec.ca ptype 0 (KRB5_NT_UNKNOWN) vno 2 etype 0x12 (AES256-SHA1) keylength 32 (0xf55444beb1501ff719c96e28c6cfc9776ab4dea73da8ad57148b7322a86759ed)

Then:

 ktpass /in geji.keytab /out geji.keytab /princ host/spn2@piesec.ca -SetUPN /rawsalt piesec.cageji-upn /mapuser P\geji /crypto AES256-SHA1 /pass MyPass -SetPass
 Existing keytab:
    
 Keytab version: 0x502
 keysize 70 host/spn1@piesec.ca ptype 0 (KRB5_NT_UNKNOWN) vno 2 etype 0x12 (AES256-SHA1) keylength 32 (0xf55444beb1501ff719c96e28c6cfc9776ab4dea73da8ad57148b7322a86759ed)
 Targeting domain controller: SECDC01.piesec.ca
 Successfully mapped host/spn2 to geji.
 WARNING: pType and account type do not match. This might cause problems.
 Key created.
 Output keytab to geji.keytab:
 Keytab version: 0x502
 keysize 70 host/spn1@piesec.ca ptype 0 (KRB5_NT_UNKNOWN) vno 2 etype 0x12 (AES256-SHA1) keylength 32 (0xf55444beb1501ff719c96e28c6cfc9776ab4dea73da8ad57148b7322a86759ed)
 keysize 70 host/spn2@piesec.ca ptype 0 (KRB5_NT_UNKNOWN) vno 2 etype 0x12 (AES256-SHA1) keylength 32 (0xf55444beb1501ff719c96e28c6cfc9776ab4dea73da8ad57148b7322a86759ed)

That command does not require any permission in AD else than being a regular user. You are not setting the UPN (thanks to the -SetUPN) nor resetting the password (thanks to the -SetPass). That way you also have the right kvno on the keytab.

Would that result into a working keytab? I don't know. Likely not.
- For TGT nope it will not work as the real user's UPN will in that case not be written.
- But since it seems that the keytabs could be use at the discretion of the application, check with the dev of that one I suppose...

This is just a mental exercice as this command (although correct from a syntax's perspective) is not a real case.



5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.