"It could then impersonate any user to the machine" Can you explain that. I want to make sure I understand all potential kerb threats, this is a new one to me.
-----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Douglas E. Engert Sent: Wednesday, July 23, 2008 7:19 AM To: Edward Irvine Cc: kerberos@mit.edu Subject: Re: Creating an MIT style keytab for an existing Windows AD membercomputer Edward Irvine wrote: > Hi, > > I'd like to find out if there is any way to extract a HOST keytab for > a windows computer that is already a member of an active directory > domain. Do you have to be use the Windows "host" principal? Can your application use a different principal, like HTTP or LDAP or make up your own. Then your application server has its own keyfile, and does not need access to the one use by Windows for login. There are security issues with letting an application access this key. It could then impersonate any user to the machine. > > A Java developer I look after wants to do the single sign on thing to > his web application. Our environment is a mixed Active Directory and > Solaris environment. > > By creating a new user in active directory, and mapping the user to a > service principle using ktpass.exe, we now have SPNEGO single sign on > working between the clients Internet Explorer and the JBoss server on > *Solaris*. So far so good. A common misunderstanding when reading the Microsoft docs Kerberos and service principals has to do with the term "user". The "user" account referred to with ktpass, is an ldap term for the objectclass user. Kerberos service principals need a "user" account in AD. This user account has nothing to do with real users who will authenticate to the service. > > The developer, who uses a Windows workstation that is part the Active > Directory domain, now wants the SPNEGO authentication to work in his > own windows workstation - and for that to work I need to get the > keytab for the host/[EMAIL PROTECTED] > > A quick LDAP lookup of his workstation in AD reveals that it already > has a servicePrincipalName of HOST/pingname.of.host - so presumably I > can extract the keytab somehow. But how? > Not really. They also change the keys every so often, so you don't want to copy it. If your Java application needs to act as a server, and really use the "host" service principal, can you use some Java to SSPI-service class? (Don't know if one exists.) (GSSAPI and SSPI use the same protocols.) > I don't personally have admin access to the AD domain, but I work with > the folks who do. > > Eddie > > ________________________________________________ > Kerberos mailing list Kerberos@mit.edu > https://mailman.mit.edu/mailman/listinfo/kerberos > > -- Douglas E. Engert <[EMAIL PROTECTED]> Argonne National Laboratory 9700 South Cass Avenue Argonne, Illinois 60439 (630) 252-5444 ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos