keytab for windows based services

Hi All ,

I am a newbie for posting on windows forums/lists so pardon me for being at
wrong place.
This is not a question related to Windows device drivers or windows
kernel but more related to MS implementation of kerberos.
I tried asking by query on some other technet forums but looks like,
those are dormant ones.
I heard, there are many MS people also subscribed to this list.
So, Any redirections are deeply appreciated to some appropriate resources.

We have an issue with generating a valid keytab for windows based
services which can be used on unix based machines to decrypt AP-REQ.

Following is our setup :

  1. Windows XP cifs client
  2. Windows 2003 KDC and domain controller 64 bit
  3. Windows XP cifs server 64 bit.
  4. Linux FC7 machine with MIT kerberos 1.6.3

We have the admin privileges for all the machines mentioned above.

What we are trying to do ?

  1. We request a kerberized traffic from cifs client to cifs server
    which we want to route through linux box.

  2. We want to do some processing with the AP-REQ. Evidently for
    which we need to authenticate the client in AP_REQ on linux machine.

  3. Now to authenticate the client in AP-REQ on linux machine we
    propose to use GSSAPI calls using corresponding service keytab.

The problem :

  1. Our understanding is, all windows based services are registered
    under corresponding computer name with their corresponding SPN.

  2. This registration occurs whenever the machine joins the domain. So
    basically , whenever the server is up and running and is in domain
    all its services are registered with windows domain controller and
    are mapped to its computer name.

  3. The exchange of long term keys for service between service and KDC
    occurs at the same time.

  4. We understand the definition of ktpass is "To generate keytab for
    UNIX based services " but with no other option to generate a keytab,
    we run ktpass for this windows based service which creates a new
    long term service key for the service which is not communicated back
    to service.

When I use this keytab on linux machine through GSSAPI calls to

which is obvious since key used by KDC to encrypt the ticket for
service is different(Its the old key ) than what is in keytab.

Questions :

  1. Is there a way to bring KDC and service in sync in terms of the
    service key being used ? To be more precise , If I change the
    service key for a service at KDC Is there a way to communicate
    this back to service so that the service starts using this new key
    for all further requests ?

  2. We understand ktpass is a tool to generate a keytab for unix based
    services. Do we have any similar tool for windows based services ?

  3. Since windows based service SPN’s are registered under computer name
    at the time of logon It can be mapped to some other user as well without
    creating a duplicate SPN. Is it possible for a service to run under
    a user account and obtain a service key in windows ?

  4. We understand “man in the middle” is not possible with kerberos but
    when we own all components of traffic ( KDC , server , client , DC
    with admin privileges ) should’t I be allowed to extract a service key
    for the given SPN from KDC without disturbing the existing setup ?

Any help is deeply appreciated.

Thanks & Regards


If it’s not a question related to Windows system software development, it doesn’t belong on this list. That’s a pretty simple idea, don’t you think?

As a noob, the first precept to learn is that you absolutely MUST post to the right list… if you’re having trouble figuring out what that list is, then maybe you can’t post your question at all.

THIS TOPIC IS LOCKED. Please post no additional replies. Please do not continue this thread in another topic.

List Slave