Creating keytabs and service principal names

kerberos spn

Solution 1:

I'm not quite sure whether my-user-name refers to a computer object or a user object in active directory; I'll assume it's a user object. In that case, I think setspn is not appropriate; this is meant to modify the SPNs of existing machine accounts. For a user account, I'm skeptical that SRV_HST is right.

Apparently, support for SPNs associated with user objects is somewhat limited; I read somewhere that this is really restricted to one user. I also couldn't manage to get your ktpass invocation to work for me, as it insisted on a) specifying a user account (through mapuser) that should be associated with the SPN, and b) setting the SPN password. I think the latter is unavoidable to create a keytab through ktpass.

I managed to create a keytab in the "standard way", i.e. by setting up a dedicated user account and associating it with an SPN:

ktpass /princ TEST/host@DOMAIN /mapuser user@DOMAIN /pass *  /out foo.keytab /ptype KRB5_NT_PRINCIPAL

That operation (expectly) broke login for the user, however, I was then able to kinit with

 kinit -k -t /tmp/foo.keytab  TEST/host@DOMAIN

Related

Svnserve authentication with SASL and normal user accounts
How would you build a cheap Virtual Server farm for home development? [closed]
How do I create a virtual IP address?
How to select the best Stripe Size when configuring a RAID Array
How can I activate ssh-agent confirmation in MacOSX Leopard?
Jetty - Virtualhosting - SSL Certificates
Two network adapters on Ubuntu Server 9.10 - Can't have both working at once?
How much memory will a Windows file-server be able to use effectively
Moving C:\Users to another partition on Windows Server 2008 Standard
Can a password change in Active Directory be reverted?
What is the cheapest non-colocation way to serve about 10 static files at a rate of 100 megabits per second to the web? [closed]
Google Apps, SPF, softfail problem (validates with validation tools, but still softfails otherwise)