• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1676
  • Last Modified:

Using ktpass in Windows domain

Hi experts!

I found a HowTo for SSO-Authentication with apache and ActiveDirectory.
In this HowTo they tell me to use following command:

ktpass -princ HTTP/otrsserver.domain1.net@DOMAIN1.NET -mapuser DOMAIN1\OTRSUSER -pass xxxxxxxxx -out c:\temp\otrsserver.keytab

Open in new window


Is it save to issue that command on my productional domain-controller?
Would this have any effect to my domain?

In a test lab I issued the command and got following output:

Targeting domain controller: dc1-test.test.local
Using legacy password setting method
Successfully mapped HTTP/dc-test.test.local to otrs.
WARNING: pType and account type do not match. This might cause problems.
Key created.
Output keytab to C:\otrsserver.keytab:
Keytab version: 0x502
keysize 77 HTTP/dc1-test.test.local@TEST.LOCAL ptype 0 (KRB5_NT_UNKNOWN
vno 4 etype 0x17 (RC4-HMAC) keylength 16 (0xfcc2sadasdasd8asd39050f2c587af)

Open in new window


Can anybody explain, what is happening there?

Thanks a lot!
0
Systemadministration
Asked:
Systemadministration
1 Solution
 
Dan McFaddenSystems EngineerCommented:
The thing that jumps out is the WARNING line about ptype.

Have you tried adding the ptype option like so:  -ptype KRB5_NT_PRINCIPAL

Here is an article that talks about the difference of using computer accounts (like you're doing) verse using a user account:  http://blog.scottlowe.org/2006/08/21/more-on-kerberos-authentication-against-active-directory/

Here is a detailed article from the same guy, about Kerberos, apache and SSO:  http://blog.scottlowe.org/2006/08/10/kerberos-based-sso-with-apache/

Dan
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now