3

I am trying to authenticate a user for my service using kerberos. I attached SPN to a user using setspn -s HTTP/<hostname> <Username>.

Then I used ktpass command for the above SPN attached user. But the generated keytab file has multiple entries, seems like multiple keys are getting created.

What may be the problem here ?

Here is the output of the ktpass command:

Key created.

Key created.

Key created.

Key created.

Key created.

Output keytab to c:\tomcat.keytab:

Keytab version: 0x502

keysize 63 HTTP/punedvit2.sca.avaya.com@GSC.COM ptype 0 (KRB5_NT_UNKNOWN) vno 0 etype 0x1 (DES-CBC-CRC) keylength 8 (0xfda423cebf7c97ea)
keysize 63 HTTP/punedvit2.sca.avaya.com@GSC.COM ptype 0 (KRB5_NT_UNKNOWN) vno 0 etype 0x3 (DES-CBC-MD5) keylength 8 (0xfda423cebf7c97ea)
keysize 71 HTTP/punedvit2.sca.avaya.com@GSC.COM ptype 0 (KRB5_NT_UNKNOWN) vno 0 etype 0x17 (RC4-HMAC) keylength 16 (0x85a6dea042798a45a547f8450e1115fc)
keysize 87 HTTP/punedvit2.sca.avaya.com@GSC.COM ptype 0 (KRB5_NT_UNKNOWN) vno 0 etype 0x12 (AES256-SHA1) keylength 32 (0x391f59100fbe0ef1833c141ce3caffa69d3582022fb31643d1b4389f62e32c94)
keysize 71 HTTP/punedvit2.sca.avaya.com@GSC.COM ptype 0 (KRB5_NT_UNKNOWN) vno 0 etype 0x11 (AES128-SHA1) keylength 16 (0x4c37bdfdf11b98cd360c332976b5c7bc)
John R Smith
  • 848
  • 7
  • 18
user3106657
  • 95
  • 4
  • 11

1 Answers1

4

Keytab enables server to open Kerberos ticket. This ticket comes encrypted in one of many algorithms (encTypes). Server looks up in keytab for entry in this encType. We want to support all encTypes which can be used in domain. For each there's one entry in Keytab.

The keytab in question contains 5 entries for principal HTTP/punedvit2.sca.avaya.com@GSC.COM, ordered by strength/security: AES256, AES128, RC4 and two DES. Current standard in Active Directory is AES (256 or 128 bit long). RC4 is still popular. DES is easy to break and by default it's no longer enabled.

greenmarker
  • 1,599
  • 1
  • 21
  • 29