适用于: Windows Server (半年通道) ,Windows Server 2019,Windows Server 2016,Windows Server 2012 R2,Windows Server 2012Applies to: Windows Server (Semi-Annual Channel), Windows Server 2019, Windows Server 2016, Windows Server 2012 R2, Windows Server 2012

Active Directory 域服务 () AD DS 中为主机或服务配置服务器主体名称,并生成一个包含服务共享密钥的 keytab 文件。Configures the server principal name for the host or service in Active Directory Domain Services (AD DS) and generates a .keytab file that contains the shared secret key of the service. .Keytab 文件基于麻省理工学院 (MIT) 对 Kerberos 身份验证协议的实现。The .keytab file is based on the Massachusetts Institute of Technology (MIT) implementation of the Kerberos authentication protocol. Ktpass 命令行工具允许支持 Kerberos 身份验证的非 Windows 服务使用 Kerberos 密钥发行中心 (KDC) 服务提供的互操作性功能。The ktpass command-line tool allows non-Windows services that support Kerberos authentication to use the interoperability features provided by the Kerberos Key Distribution Center (KDC) service.


[/out <filename>]
[/princ <principalname>]
[/mapuser <useraccount>]
[/mapop {add|set}] [{-|+}desonly] [/in <filename>]
[/pass {password|*|{-|+}rndpass}]
[/kvno <keyversionnum>]
[/answer {-|+}]
[/rawsalt] [{-|+}dumpsalt] [{-|+}setupn] [{-|+}setpass <password>]  [/?|/h|/help]


参数Parameter 说明Description
/out <filename>/out <filename> 指定要生成的 Kerberos 版本 keytab 文件的名称。Specifies the name of the Kerberos version 5 .keytab file to generate. 注意: 这是传输到未运行 Windows 操作系统的计算机上的 keytab 文件,然后将其替换或合并为你的现有 keytab 文件 /Etc/Krb5.keytabNote: This is the .keytab file you transfer to a computer that isn't running the Windows operating system, and then replace or merge with your existing .keytab file, /Etc/Krb5.keytab.
/princ <principalname>/princ <principalname> 指定窗体中的主体名称 host/computer.contoso.com@CONTOSO.COM 。Specifies the principal name in the form host/computer.contoso.com@CONTOSO.COM. 警告: 此参数区分大小写。Warning: This parameter is case-sensitive.
/mapuser <useraccount>/mapuser <useraccount> 将由 princ 参数指定的 Kerberos 主体的名称映射到指定的域帐户。Maps the name of the Kerberos principal, which is specified by the princ parameter, to the specified domain account.
/mapop {add|set}/mapop {add|set} 指定如何设置映射属性。Specifies how the mapping attribute is set.
  • 添加 -添加指定的本地用户名的值。Add - Adds the value of the specified local user name. 这是默认值。This is the default.
  • Set -为指定的本地用户名设置数据加密标准 (DES 仅) 加密的值。Set - Sets the value for Data Encryption Standard (DES)-only encryption for the specified local user name.
{-|+}desonly{-|+}desonly 默认情况下,设置为仅 DES 加密。DES-only encryption is set by default.
  • + 为仅 DES 加密设置帐户。+ Sets an account for DES-only encryption.
  • - 针对仅 DES 加密的帐户释放限制。- Releases restriction on an account for DES-only encryption. 重要提示: 默认情况下,Windows 不支持 DES。Important: Windows doesn't support DES by default.
/in <filename>/in <filename> 指定要从运行 Windows 操作系统的主计算机读取的 keytab 文件。Specifies the .keytab file to read from a host computer that is not running the Windows operating system.
/pass {password|*|{-|+}rndpass}/pass {password|*|{-|+}rndpass} 指定由 princ 参数指定的主体用户名的密码。Specifies a password for the principal user name that is specified by the princ parameter. 使用 * 提示输入密码。Use * to prompt for a password.
/minpass/minpass 将随机密码的最小长度设置为15个字符。Sets the minimum length of the random password to 15 characters.
/maxpass/maxpass 将随机密码的最大长度设置为256个字符。Sets the maximum length of the random password to 256 characters.
/crypto {DES-CBC-CRC|DES-CBC-MD5|RC4-HMAC-NT|AES256-SHA1|AES128-SHA1|All}/crypto {DES-CBC-CRC|DES-CBC-MD5|RC4-HMAC-NT|AES256-SHA1|AES128-SHA1|All} 指定在 keytab 文件中生成的密钥:Specifies the keys that are generated in the keytab file:
  • DES-CBC-CRC -用于实现兼容性。DES-CBC-CRC - Used for compatibility.
  • DES-CBC-MD5 -更密切地遵从 MIT 实现,并用于兼容性。DES-CBC-MD5 - Adheres more closely to the MIT implementation and is used for compatibility.
  • RC4-HMAC-NT -采用128位加密。RC4-HMAC-NT - Employs 128-bit encryption.
  • AES256 ---------------------96-96AES256-SHA1 - Employs AES256-CTS-HMAC-SHA1-96 encryption.
  • AES128 ---------------------96-96AES128-SHA1 - Employs AES128-CTS-HMAC-SHA1-96 encryption.
  • 所有 -可以使用所有受支持的加密类型。All - States that all supported cryptographic types can be used.

注意: 由于默认设置基于较旧的 MIT 版本,因此应始终使用 /crypto 参数。Note: Because the default settings are based on older MIT versions, you should always use the /crypto parameter.

/itercount/itercount 指定用于 AES 加密的迭代次数。Specifies the iteration count that is used for AES encryption. 默认情况下,将忽略非 AES 加密的 itercount ,并将 AES 加密设置为4096。The default ignores itercount for non-AES encryption and sets AES encryption to 4,096.
/ptype {KRB5_NT_PRINCIPAL|KRB5_NT_SRV_INST|KRB5_NT_SRV_HST}/ptype {KRB5_NT_PRINCIPAL|KRB5_NT_SRV_INST|KRB5_NT_SRV_HST} 指定主体类型。Specifies the principal type.
  • KRB5_NT_PRINCIPAL - (建议) 的常规主体类型。KRB5_NT_PRINCIPAL - The general principal type (recommended).
  • KRB5_NT_SRV_INST -用户服务实例KRB5_NT_SRV_INST - The user service instance
  • KRB5_NT_SRV_HST -主机服务实例KRB5_NT_SRV_HST - The host service instance
/kvno <keyversionnum>/kvno <keyversionnum> 指定密钥版本号。Specifies the key version number. 默认值为 1。The default value is 1.
/answer {-|+}/answer {-|+} 设置背景应答模式:Sets the background answer mode:
  • - 应答自动重置密码提示, - Answers reset password prompts automatically with NO.
  • + 回答 "是" 时自动重置密码提示。+ Answers reset password prompts automatically with YES.
/target/target 设置要使用的域控制器。Sets which domain controller to use. 默认情况下,将基于主体名称检测域控制器。The default is for the domain controller to be detected, based on the principal name. 如果域控制器名称未解析,则会出现一个对话框,提示输入有效的域控制器。If the domain controller name doesn't resolve, a dialog box will prompt for a valid domain controller.
/rawsalt/rawsalt 强制 ktpass 在生成密钥时使用 rawsalt 算法。forces ktpass to use the rawsalt algorithm when generating the key. 此参数可选。This parameter is optional.
{-|+}dumpsalt 此参数的输出显示了用于生成密钥的 MIT 盐算法。The output of this parameter shows the MIT salt algorithm that is being used to generate the key.
{-|+}setupn 将用户主体名称 (UPN) 除 (SPN) 以外的其他服务主体名称。Sets the user principal name (UPN) in addition to the service principal name (SPN). 默认情况下,在 keytab 文件中设置。The default is to set both in the .keytab file.
{-|+}setpass <password> 在提供时设置用户的密码。Sets the user's password when supplied. 如果使用了 rndpass,则改为生成随机密码。If rndpass is used, a random password is generated instead.
/?/? 显示此命令的帮助。Displays Help for this command.


  • 在未运行 Windows 操作系统的系统上运行的服务可以在 AD DS 中配置服务实例帐户。Services running on systems that aren't running the Windows operating system can be configured with service instance accounts in AD DS. 这允许任何 Kerberos 客户端使用 Windows Kdc 对未运行 Windows 操作系统的服务进行身份验证。This allows any Kerberos client to authenticate to services that are not running the Windows operating system by using Windows KDCs.

  • /Princ 参数不由 ktpass 计算,并按提供的方式使用。The /princ parameter isn't evaluated by ktpass and is used as provided. 在生成 Keytab 文件时,不会检查该参数是否与 userPrincipalName 特性值的准确大小写相匹配。There's no check to see if the parameter matches the exact case of the userPrincipalName attribute value when generating the Keytab file. 如果没有完全匹配大小写,则使用此 Keytab 文件的区分大小写的 Kerberos 分发可能会出现问题,甚至可能会在预身份验证过程中失败。Case-sensitive Kerberos distributions using this Keytab file might have problems if there's no exact case match, and could even fail during pre-authentication. 从 LDifDE 导出文件中检查和检索正确的 userPrincipalName 属性值。To check and retrieve the correct userPrincipalName attribute value from a LDifDE export file. 例如:For example:

    ldifde /f keytab_user.ldf /d CN=Keytab User,OU=UserAccounts,DC=contoso,DC=corp,DC=microsoft,DC=com /p base /l samaccountname,userprincipalname


若要为未运行 Windows 操作系统的主计算机创建 keytab 文件,必须将该主体映射到该帐户,并设置主机主体密码。To create a Kerberos .keytab file for a host computer that isn't running the Windows operating system, you must map the principal to the account and set the host principal password.

  1. 使用 active directory 用户和计算机 管理单元为未运行 Windows 操作系统的计算机上的服务创建用户帐户。Use the active directory User and computers snap-in to create a user account for a service on a computer that is not running the Windows operating system. 例如,创建名为 User1 的帐户。For example, create an account with the name User1.

  2. 使用 ktpass 命令通过键入以下内容设置用户帐户的标识映射:Use the ktpass command to set up an identity mapping for the user account by typing:

    ktpass /princ host/User1.contoso.com@CONTOSO.COM /mapuser User1 /pass MyPas$w0rd /out machine.keytab /crypto all /ptype KRB5_NT_PRINCIPAL /mapop set


    不能将多个服务实例映射到同一个用户帐户。You cannot map multiple service instances to the same user account.

  3. 将 keytab 文件与未运行 Windows 操作系统的主计算机上的 /Etc/Krb5.keytab 文件合并。Merge the .keytab file with the /Etc/Krb5.keytab file on a host computer that isn't running the Windows operating system.

其他参考Additional References