Esporta (0) Stampa
Espandi tutto
Arp
At
Cd
Cls
Cmd
Del
Dir
Fc
For
Ftp
If
Ldp
Lpq
Lpr
Md
Mmc
Msg
Nlb
Rcp
Rd
Reg
Rem
Ren
Rsh
Rsm
Rss
Sc
Set
Sfc
Ver
Vol
Espandi Riduci a icona

Ktpass

Aggiornamento: gennaio 2007

Si applica a: Windows Server 2008, Windows Server 2008 R2

Configures the server principal name for the host or service in Active Directory Domain Services (AD DS) and generates a .keytab file containing the shared secret key of the service. The .keytab file is based on the Massachusetts Institute of Technology (MIT) implementation of the Kerberos authentication protocol. The Ktpass command-line tool allows non-Windows services that support Kerberos authentication to use the interoperability features provided by the Kerberos Key Distribution Center (KDC) service in Windows Server 2008 R2.

For examples of how this command can be used, see Examples.

Syntax

ktpass
[/out <FileName>] 
[/princ <PrincipalName>] 
[/mapuser <UserAccount>] 
[/mapop {add|set}] [{-|+}desonly] [/in <FileName>]
[/pass {Password|*|{-|+}rndpass}]
[/minpass]
[/maxpass]
[/crypto {DES-CBC-CRC|DES-CBC-MD5|RC4-HMAC-NT|AES256-SHA1|AES128-SHA1|All}]
[/itercount]
[/ptype {KRB5_NT_PRINCIPAL|KRB5_NT_SRV_INST|KRB5_NT_SRV_HST}]
[/kvno <KeyVersionNum>]
[/answer {-|+}]
[/target]
[/rawsalt] [{-|+}dumpsalt] [{-|+}setupn] [{-|+}setpass <Password>]  [/?|/h|/help]

Parameters

 

Parameter Description

/out <FileName>

Specifies the name of the Kerberos version 5 .keytab file to generate.

noteNota
This is the .keytab file that you transfer to the non-Windows computer and replace or merge with your existing .keytab file, /Etc/Krb5.keytab.

/princ <PrincipalName>

Specifies the principal name in the form host/computer.contoso.com@CONTOSO.COM.

/mapuser <UserAccount>

Maps the name of the Kerberos principal specified by the princ parameter to the specified domain account.

/mapop {add|set}

Specifies how the mapping attribute is set.

  • Add adds the value of the specified local user name. This is the default.

  • Set sets the value for Data Encryption Standard (DES)-only encryption for the specified local user name.

{-|+}desonly

DES-only encryption is set by default.

  • + Sets an account for DES-only encryption.

  • - Releases restriction on an account for DES-only encryption.

ImportantImportante
Windows 7 and Windows Server 2008 R2 do not support DES by default.

/in <FileName>

Specifies the .keytab file from the non-Windows host to read.

/pass {Password|*|{-|+}rndpass}

Specifies a password for the principal user name specified in the princ parameter. Use "*" to prompt for a password.

/minpass

Sets the minimum length of the random password to 15 characters.

/maxpass

Sets the maximum length of the random password to 256 characters.

/crypto {DES-CBC-CRC|DES-CBC-MD5|RC4-HMAC-NT|AES256-SHA1|AES128-SHA1|All}

Specifies the keys generated in the keytab file:

  • DES-CBC-CRC is used for compatibility.

  • DES-CBC-MD5 adheres more closely to the MIT implementation and is used for compatibility.

  • RC4-HMAC-NT employs 128-bit encryption.

  • AES256-SHA1 employs AES256-CTS-HMAC-SHA1-96 encryption.

  • AES128-SHA1 employs AES128-CTS-HMAC-SHA1-96 encryption.

  • All states that all supported cryptographic types can be used.

noteNota
The default settings are based on older MIT versions, therefore, /crypto should always be specified.

/itercount

Specifies the iteration count that is used for AES encryption. The default is that itercount is ignored for non-AES encryption and set at 4,096 for AES encryption.

/ptype {KRB5_NT_PRINCIPAL|KRB5_NT_SRV_INST|KRB5_NT_SRV_HST}

Specifies the principal type.

  • KRB5_NT_PRINCIPAL is the general principal type (recommended).

  • KRB5_NT_SRV_INST is the user service instance.

  • KRB5_NT_SRV_HST is the host service instance.

/kvno <KeyVersionNum>

Specifies the Key version number. The default value is 1.

/answer {-|+}

Sets the background answer mode:

- Answers reset password prompts automatically with NO.

+ Answers reset password prompts automatically with YES.

/target

Sets which domain controller to use. The default is for the domain controller to be detected based on the principal name. If the domain controller name does not resolve, a dialog box will prompt for a valid domain controller.

/rawsalt

Forces Ktpass to use the rawsalt algorithm when generating the key. This parameter is not needed.

{-|+}dumpsalt

Shows in the output the MIT salt algorithm being used to generate the key.

{-|+}setupn

Sets the user principal name (UPN) in addition to the service principal name (SPN). The default is to set both in the .keytab file.

{-|+}setpass <Password>

Sets the user's password when supplied. If rndpass is used, a random password is generated instead.

/?|/h|/help

Displays command-line help for Ktpass.

Remarks

Services running on non-Windows systems can be configured with service instance accounts in Active Directory Directory Services. This allows any Kerberos client to to authenticate to those non-Windows services using Windows KDCs.

Examples

The following example illustrates how to create a Kerberos .keytab file, machine.keytab, in the current directory for the user Sample1. (You will merge this file with the Krb5.keytab file on the non-Windows host.) The Kerberos .keytab file will be created for all supported encryption types for the general principal type.

To generate a non-Windows host .keytab file, use the following steps to map the principal to the account and set the host principal password:

  1. Use the Active Directory User and Computers snap-in to create a user account for the non-Windows service. For example, create an account with the name Sample1.

  2. Use Ktpass to set up an identity mapping for the user account by typing the following at a command line:

    ktpass /princ host/Sample1.contoso.com@CONTOSO.COM /mapuser Sample1 /pass MyPas$w0rd /out Sample1.keytab /crypto all /ptype KRB5_NT_PRINCIPAL /mapop set 
    
    noteNota
    You cannot map multiple service instances to the same user account.

  3. Merge the .keytab file with the /Etc/Krb5.keytab file on the non-Windows host.

Additional references

Il documento è risultato utile?
(1500 caratteri rimanenti)
Grazie per i commenti inviati.

Aggiunte alla community

AGGIUNGI
Microsoft sta conducendo un sondaggio in linea per comprendere l'opinione degli utenti in merito al sito Web di MSDN. Se si sceglie di partecipare, quando si lascia il sito Web di MSDN verrà visualizzato il sondaggio in linea.

Si desidera partecipare?
Mostra:
© 2014 Microsoft