On Wed, Jul 23, 2008 at 3:59 AM, Edward Irvine <[EMAIL PROTECTED]> wrote: > Hi, > > I'd like to find out if there is any way to extract a HOST keytab for > a windows computer that is already a member of an active directory > domain. > > A Java developer I look after wants to do the single sign on thing to > his web application. Our environment is a mixed Active Directory and > Solaris environment. > > By creating a new user in active directory, and mapping the user to a > service principle using ktpass.exe, we now have SPNEGO single sign on > working between the clients Internet Explorer and the JBoss server on > *Solaris*. So far so good. > > The developer, who uses a Windows workstation that is part the Active > Directory domain, now wants the SPNEGO authentication to work in his > own windows workstation - and for that to work I need to get the > keytab for the host/[EMAIL PROTECTED] > > A quick LDAP lookup of his workstation in AD reveals that it already > has a servicePrincipalName of HOST/pingname.of.host - so presumably I > can extract the keytab somehow. But how? > > I don't personally have admin access to the AD domain, but I work > with the folks who do.
Extracting the keys from AD is not possible [1]. However, the ktpass utility from MS can set the password, generate the corresponding key separately and put it into a keytab file. Note that you must have at least account operator privilege to set a password in AD. Mike [1] There is a freeware utility called ktexport that can extract the keys from a DC and dump them into a keytab but it is only (sometimes) useful for debugging purposes with WireShark. The resulting keytab is not valid for use with any kind of service. -- Michael B Allen PHP Active Directory SPNEGO SSO http://www.ioplex.com/ ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos