Windows OS Hub
  • Windows
    • Windows 11
    • Windows 10
    • Windows Server 2025
    • Windows Server 2022
    • Windows Server 2019
    • Windows Server 2016
  • Microsoft
    • Active Directory (AD DS)
    • Group Policies (GPOs)
    • Exchange Server
    • Azure and Microsoft 365
    • Microsoft Office
  • Virtualization
    • VMware
    • Hyper-V
    • Proxmox
  • PowerShell
  • Linux
  • Home
  • About

Windows OS Hub

  • Windows
    • Windows 11
    • Windows 10
    • Windows Server 2025
    • Windows Server 2022
    • Windows Server 2019
    • Windows Server 2016
  • Microsoft
    • Active Directory (AD DS)
    • Group Policies (GPOs)
    • Exchange Server
    • Azure and Microsoft 365
    • Microsoft Office
  • Virtualization
    • VMware
    • Hyper-V
    • Proxmox
  • PowerShell
  • Linux

 Windows OS Hub / Active Directory / Creating a Keytab File for Kerberos Authentication in Active Directory

March 13, 2024

Creating a Keytab File for Kerberos Authentication in Active Directory

Many Linux services (apache, nginx, etc.) can use keytab files for Kerberos authentication in Active Directory without entering a password. The keytab file keeps the names of Kerberos principals and the corresponding encrypted keys (obtained from Kerberos passwords). In this article we will show how to create a keytab file for the SPN of a linked Active Directory account using ktpass tool.

The most often, a separate Active Directory user account is created for a service that requires using a keytab file. However, you can also use a computer object to do it. Then the service name is bound to the account (ServicePrincipalName — SPN). SPN is used by Kerberos authentication to map a service instance to an AD account (this is why apps may authenticate as services even if they do not know a user name).

First, create a service account in AD and set a known password for it. You can create an account from the graphic ADUC console (dsa.msc) or using New-ADUser cmdlet in PowerShell (from PowerShell Active Directory module):

New-ADUser -Name "web" -GivenName "nginx web app" -SamAccountName "web" -UserPrincipalName "[email protected]" -Path "OU=Services,OU=Munich,OU=DE,DC=test,DC=com" –AccountPassword (ConvertTo-SecureString “Sup6r!Pa$s” -AsPlainText -force) -Enabled $true

Enable “User cannot change password” and “Password never expires“ options for the service account in the graphic console or in PowerShell:

Get-ADUser web|Set-ADUser -PasswordNeverExpires:$True -CannotChangePassword:$true

create service user account in ad for kerberos authentication using keytab

In the next step bind a service principal name (SPN) to the user account. You don’t need to perform this step separately, since ktpass does it automatically when creating a keytab file (I will do it to let you understand the process better).

Bind the following SPN record to the web account:

setspn -A HTTP/[email protected] web

Display the list of SPN records associated with the AD user:

setspn -L web

adding spn for ad user account using setspn.exe

To create a keytab file, the following command is used:

ktpass -princ HTTP/[email protected] -mapuser web -crypto ALL -ptype KRB5_NT_PRINCIPAL -pass Sup6r!Pa$s -target mundc01.test.com -out c:\share\web.keytab

ktpass - generating keytab file on windows

Successfully mapped HTTP/www.test.com to web.
Password successfully set!
Key created.
Output keytab to c:\share\webt.keytab:
Keytab version: 0x502
keysize 53 HTTP/[email protected] ptype 1 (KRB5_NT_PRINCIPAL) vno 4 etype 0x1 (DES-CBC-CRC) keylength 8 (0x73f868856e046449)

The command has created a keytab file (c:\share\webt.keytab) for the SPN record of the HTTP/[email protected] service. The SPN record is bound to the web account with the specified password.

Make sure that the SPN record for the service has been successfully created (if you did not create it manually):

setspn -Q */[email protected]
You can see that the SPN record has been found (Existing SPN found!). It is bound to the web account.

setspn -q Existing SPN found

Windows does not have built-in tools to view the contents of the keytab file. But if Java JRE is installed on your computer, you can use klist.exe included in the Java distribution package.

cd "c:\Program Files\Java\jre1.8.0_181\bin"
klist.exe -K -e -t -k c:\PS\web_host.keytab

Key tab: c:\PS\web_host.keytab, 5 entries found.

klist.exe viev keys and spns in keytab file

Let’s view the contents of the keytab file. SPNs, keys, timestamps, an encryption algorithm and a key version (KVNO — key version number) are specified here.

When creating a keytab file, ktpass increments the msDS-KeyVersionNumber attribute value of the user account (you can see it in the AD Attribute Editor) and uses the value as a KVNO in the keytab table.

msDS-KeyVersionNumber active directory user attribute

If you change the account password, the attribute value is increased by one, and ll keytab entries with the previous KVNO become invalid (even if a new password completely matches the old one). If a user password in AD changes, you will have to generate a keytab file again.

A keytab file may keep keys of different SPNs. Additional SPNs and keys are added to the keytab file using ktpass parameters (-in,-setupn,-setpass).

A further use of the keytab file you have got depends on the service it is applied to. For example, you can use a keytab file for a transparent SSO user authentication in Zabbix. Also, don’t forget about keeping your keytab files secure (anybody who is able to read the contents of the keytab file will be able to use any keys from it).

0 comment
3
Facebook Twitter Google + Pinterest
Active DirectoryWindows Server 2016
previous post
How to Repair (Rebuild) the WMI Repository on Windows
next post
How to Uninstall Built-in UWP (APPX) Apps on Windows 10 or 11

Related Reading

How to Refresh (Update) Group Policy Settings on...

August 13, 2024

Repairing the Domain Trust Relationship Between Workstation and...

May 16, 2024

Backing Up Active Directory with Windows Server Backup

November 26, 2024

Get-ADDomainController: Getting Domain Controllers Info via PowerShell

July 8, 2022

Unable to Access SYSVOL and NETLOGON folders from...

May 10, 2023

Checking Active Directory Domain Controller Health and Replication

May 15, 2025

Updating Group Policy Administrative Templates (ADMX)

January 24, 2025

Display System Info on Desktop with BGInfo

February 6, 2025

Leave a Comment Cancel Reply

join us telegram channel https://t.me/woshub
Join WindowsHub Telegram channel to get the latest updates!

Recent Posts

  • How to Detect Which User Installed or Removed a Program on Windows

    June 23, 2025
  • Encrypt Any Client-Server App Traffic on Windows with Stunnel

    June 12, 2025
  • Failed to Open the Group Policy Object on a Computer

    June 2, 2025
  • Remote Desktop Printing with RD Easy Print Redirection

    June 2, 2025
  • Disable the Lock Screen Widgets in Windows 11

    May 26, 2025
  • Configuring Windows Protected Print Mode (WPP)

    May 19, 2025
  • Map a Network Drive over SSH (SSHFS) in Windows

    May 13, 2025
  • Configure NTP Time Source for Active Directory Domain

    May 6, 2025
  • Cannot Install Network Adapter Drivers on Windows Server

    April 29, 2025
  • Change BIOS from Legacy to UEFI without Reinstalling Windows

    April 21, 2025

Follow us

  • Facebook
  • Twitter
  • Telegram
Popular Posts
  • Configure Google Chrome Settings with Group Policy
  • Get-ADUser: Find Active Directory User Info with PowerShell
  • How to Disable or Enable USB Drives in Windows using Group Policy
  • How to Find the Source of Account Lockouts in Active Directory
  • Get-ADComputer: Find Computer Properties in Active Directory with PowerShell
  • Configuring Proxy Settings on Windows Using Group Policy Preferences
  • Adding Domain Users to the Local Administrators Group in Windows
Footer Logo

@2014 - 2024 - Windows OS Hub. All about operating systems for sysadmins


Back To Top