Creating an MIT style keytab for an existing Windows AD member computer

Hi, I'd like to find out if there is any way to extract a HOST keytab for a windows computer that is already a member of an active directory domain. A Java developer I look after wants to do the single sign on thing to his web application. Our environment is a mixed Active Directory and

Re: Creating an MIT style keytab for an existing Windows AD member computer

Edward Irvine wrote: Hi, I'd like to find out if there is any way to extract a HOST keytab for a windows computer that is already a member of an active directory domain. Do you have to be use the Windows host principal? Can your application use a different principal, like HTTP or LDAP

RE: Creating an MIT style keytab for an existing Windows AD membercomputer

It could then impersonate any user to the machine Can you explain that. I want to make sure I understand all potential kerb threats, this is a new one to me. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Douglas E. Engert Sent: Wednesday, July 23,

Re: Creating an MIT style keytab for an existing Windows AD member computer

On Wed, Jul 23, 2008 at 3:59 AM, Edward Irvine [EMAIL PROTECTED] wrote: Hi, I'd like to find out if there is any way to extract a HOST keytab for a windows computer that is already a member of an active directory domain. A Java developer I look after wants to do the single sign on thing to

Re: Creating an MIT style keytab for an existing Windows AD membercomputer

Paul Moore wrote: It could then impersonate any user to the machine Can you explain that. I want to make sure I understand all potential kerb threats, this is a new one to me. This is at the heart of Kerberos. Client and server trust KDC and trust KDC to give service ticket to client

Re: Creating an MIT style keytab for an existing Windows AD member computer

On Wed, Jul 23, 2008 at 02:01:43PM -0400, Michael B Allen wrote: Extracting the keys from AD is not possible [1]. Nor ist it possible to extract them from MIT krb5 KDCs. However, the ktpass utility from MS can set the password, generate the corresponding key separately and put it into a

Re: Creating an MIT style keytab for an existing Windows AD member computer

Nicolas Williams [EMAIL PROTECTED] writes: On Wed, Jul 23, 2008 at 02:01:43PM -0400, Michael B Allen wrote: Extracting the keys from AD is not possible [1]. Nor ist it possible to extract them from MIT krb5 KDCs. It is as of 1.6 using kadmin.local (not that this changes the rest of your

Re: Creating an MIT style keytab for an existing Windows AD member computer

On Wed, Jul 23, 2008 at 05:55:20PM -0700, Russ Allbery wrote: Nicolas Williams [EMAIL PROTECTED] writes: On Wed, Jul 23, 2008 at 02:01:43PM -0400, Michael B Allen wrote: Extracting the keys from AD is not possible [1]. Nor ist it possible to extract them from MIT krb5 KDCs. It is as