Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- 1. setspn -D HTTP/tomcatserver.global.lpl.top tomcatuser
- Updated object
- 2. setspn -l tomcatuser
- list empty
- 3. ktpass /out c:\tomcat2.keytab /mapuser tomcatuser@GLOBAL.LPL.TOP /mapOp set /princ HTTP/tomcatserver.global.lpl.top@GLOBAL.LPL.TOP /pass tomcatuserpassword /ptype KRB5_NT_PRINCIPAL /crypto AES256-SHA1
- Targeting domain controller: cdc.global.lpl.top
- Successfully mapped HTTP/tomcatserver.global.lpl.top to tomcatuser.
- Password successfully set!
- Key created.
- Output keytab to : c:\tomcat2.keytab:
- Keytab version: 0x502
- keysize 96 HTTP/tomcatserver.global.lpl.top@GLOBAL.LPL.TOP ptype 1 (KRB5_NT_PRINCIPAL) vno 6 etype 0x12 (AES256-SHA1) keylength 32 (0x0a976...bd7)
- 4. setspn -l tomcatuser
- Registered ServicePrincipalNames for CN=tomcatuser,OU=Services,OU=Accounts,OU=...,OU=Delegated,DC=global,DC=lpl,DC=top: HTTP/tomcatserver.global.lpl.top
- 5. jdk1.7.0_79\bin> klist -k -t C:\tomcat2.keytab
- Key tab: C:\tomcat2.keytab, 1 entry found.
- [1] Service principal: HTTP/tomcatserver.global.lpl.top@GLOBAL.LPL.TOP
- KVNO: 6
- Time stamp: Jan 01, 1970 03:00
- 6. tomcatuser AD account properties shows User Logon Name "HTTP/tomcatserver.global.lpl.top" followed by "@global.lpl.top" value in dropdown list.
- 128 and 256 ecnryption are checked.
- 7. jdk1.7.0_79\bin>kinit tomcatuser tomcatuserpassword
- empty reply
- 8. jdk1.7.0_79\bin>kinit HTTP/tomcatserver.global.lpl.top@GLOBAL.LPL.TOP -k -t C:\tomcat2.keytab
- Exception: krb_error 0 Do not have keys of types listed in default_tkt_enctypes
- available; only have keys of following type: No error
- KrbException: Do not have keys of types listed in default_tkt_enctypes available
- ; only have keys of following type:
- at sun.security.krb5.internal.crypto.EType.getDefaults(EType.java:273)
- at sun.security.krb5.KrbAsReqBuilder.build(KrbAsReqBuilder.java:264)
- at sun.security.krb5.KrbAsReqBuilder.send(KrbAsReqBuilder.java:318)
- at sun.security.krb5.KrbAsReqBuilder.action(KrbAsReqBuilder.java:364)
- at sun.security.krb5.internal.tools.Kinit.<init>(Kinit.java:221)
- at sun.security.krb5.internal.tools.Kinit.main(Kinit.java:113)
- 9. Noticed that kinit doesn't really seem to care about my C:\Windows\krb5.ini (I even tried deleting it) nor actual command values:
- jdk1.7.0_79\bin>kinit nosuchuser -k -t c:\nosuchfile.keytab
- Exception: krb_error 0 Do not have keys of types listed in default_tkt_enctypes
- available; ...
- 10. jdk1.7.0_79\bin>ktab -l -e -t -k C:\tomcat2.keytab
- Keytab name: C:\tomcat2.keytab
- KVNO Timestamp Principal
- ---- ------------- -------------------------------------------------------------
- -----------------------
- 6 01.01.70 3:00 HTTP/tomcatserver.global.lpl.top@GLOBAL.LPL.TOP (18:AES256 CTS
- mode with HMAC SHA1-96)
- Addendum
- C:\Windows\krb5.ini:
- [libdefaults]
- default_realm = GLOBAL.LPL.TOP
- default_keytab_name = FILE:C:\tomcat2.keytab
- default_tkt_enctypes = rc4-hmac,aes256-cts-hmac-sha1-96,aes128-cts-hmac-sha1-96
- default_tgs_enctypes = rc4-hmac,aes256-cts-hmac-sha1-96,aes128-cts-hmac-sha1-96
- forwardable=true
- [realms]
- GLOBAL.LPL.TOP = {
- kdc = cdc.global.lpl.top:88
- }
- [domain_realm]
- global.lpl.top=GLOBAL.LPL.TOP
- .global.lpl.top=GLOBAL.LPL.TOP
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
