Solved

Using ktpass in Windows domain

Posted on 2015-01-27
1
583 Views
Last Modified: 2015-02-26
Hi experts!

I found a HowTo for SSO-Authentication with apache and ActiveDirectory.
In this HowTo they tell me to use following command:

ktpass -princ HTTP/otrsserver.domain1.net@DOMAIN1.NET -mapuser DOMAIN1\OTRSUSER -pass xxxxxxxxx -out c:\temp\otrsserver.keytab

Open in new window


Is it save to issue that command on my productional domain-controller?
Would this have any effect to my domain?

In a test lab I issued the command and got following output:

Targeting domain controller: dc1-test.test.local
Using legacy password setting method
Successfully mapped HTTP/dc-test.test.local to otrs.
WARNING: pType and account type do not match. This might cause problems.
Key created.
Output keytab to C:\otrsserver.keytab:
Keytab version: 0x502
keysize 77 HTTP/dc1-test.test.local@TEST.LOCAL ptype 0 (KRB5_NT_UNKNOWN
vno 4 etype 0x17 (RC4-HMAC) keylength 16 (0xfcc2sadasdasd8asd39050f2c587af)

Open in new window


Can anybody explain, what is happening there?

Thanks a lot!
0
Comment
Question by:Systemadministration
1 Comment
 
LVL 26

Accepted Solution

by:
Dan McFadden earned 500 total points
Comment Utility
The thing that jumps out is the WARNING line about ptype.

Have you tried adding the ptype option like so:  -ptype KRB5_NT_PRINCIPAL

Here is an article that talks about the difference of using computer accounts (like you're doing) verse using a user account:  http://blog.scottlowe.org/2006/08/21/more-on-kerberos-authentication-against-active-directory/

Here is a detailed article from the same guy, about Kerberos, apache and SSO:  http://blog.scottlowe.org/2006/08/10/kerberos-based-sso-with-apache/

Dan
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

As network administrators; we know how hard it is to track user’s login/logout using security event log (BTW it is harder now in windows 2008 because user name is always “N/A” in the grid), and most of us either get 3rd party tools, or just make our…
Mapping Drives using Group policy preferences Are you still using old scripts to map your network drives if so this article will show you how to get away for old scripts and move toward Group Policy Preference for mapping them. First things f…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…

728 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

9 Experts available now in Live!

Get 1:1 Help Now