Ktpass Command In Windows Server 2008
This article shows how to use Ktpass command in Windows Server 2008 operating system.
Introduction
ktpass is command-line tool that is available in Windows Server 2008, it as also available in Windows Server 2008 R2. This command line tool is used to configure server principal name for the host or service in Active Directory Domain Services (AD DS). The Ktpass utility creates Kerberos keytab files that contains the shared secret key of the service. Syntax used for Ksetup command is given below.
Syntax
ktpass
[/out <FileName>]
[/princ <PrincipalName>]
[/mapuser <UserAccount>]
[/mapop {add|set}] [{-|+}desonly] [/in <FileName>]
[/pass {Password|*|{-|+}rndpass}]
[/minpass]
[/maxpass]
[/crypto {DES-CBC-CRC|DES-CBC-MD5|RC4-HMAC-NT|AES256-SHA1|AES128-SHA1|All}]
[/itercount]
[/ptype {KRB5_NT_PRINCIPAL|KRB5_NT_SRV_INST|KRB5_NT_SRV_HST}]
[/kvno <KeyVersionNum>]
[/answer {-|+}]
[/target]
[/rawsalt] [{-|+}dumpsalt] [{-|+}setupn] [{-|+}setpass <Password>] [/?|/h|/help]
|
Parameters
| Parameter |
Description |
| /out <Filename> |
Specifies the name of the keytable file to be generated. |
| /princ <Principal Name> |
Specifies the principal name in the format host/[email protected]. |
| /mapuser <User Account> |
Map the name of a Kerberos principal to a local account. |
| /mapop {add|set} |
Defines how the mapping attribute is set. The default is to add and Set sets the value for Data Encryption Standard (DES)-only encryption for the specified local user name. |
| {-|+}desonly |
Sets(+) or releases (-) an account for DES-only encryption. |
| /in <Filename> |
The name of an existing keytab file to read from a host computer that is not running the Windows operating system. |
| /pass {Password|*|{-|+}rndpass |
Defines a a password for the principal user name. Use "*" to prompt for a password. |
| /minpass |
Sets the minimum length of random password up to 15 characters. |
| /maxpass |
Sets the maximum length of random password up to 256 characters. |
| /crypto {DES-CBC-CRC|DES-CBC-MD5|RC4-HMAC-NT|AES256-SHA1|AES128-SHA1|All} |
Sets the encryption type. By default DES-CBC-CRC is used. |
| /itercount |
Iteration count that is used for AES encryption. |
| /ptype {KRB5_NT_PRINCIPAL|KRB5_NT_SRV_INST|KRB5_NT_SRV_HST} |
Sets the principal type
- KRB5_NT_PRINCIPAL general principal type.
- KRB5_NT_SRV_INST User service instance.
- KRB5_NT_SRV_HST host service instance.
|
| /kvno <KeyVersionNum> |
The key version number (the default is 1). |
| /answer {-|+} |
Sets background answer mode. |
| /target |
Defines the domain controller to be used. |
| /raw salt |
Forces Ktpass to use the raw salt algorithm when generating the key. |
| {-|+}dump salt |
Shows the MIT salt algorithm that is being used to generate the key. |
| {-|+}setupn |
Sets the user principal name (UPN) in addition to the service principal name (SPN) |
| {-|+}setpass <Password> |
Defines the user password |
Got a programming related question? You may want to post your question here