Ktpass Command In Windows Server 2008

This article shows how to use Ktpass command in Windows Server 2008 operating system.
  • 5866

Introduction

ktpass is command-line tool that is available in Windows Server 2008, it as also available in Windows Server 2008 R2. This command line tool is used to configure server principal name for the host or service in Active Directory Domain Services (AD DS). The Ktpass utility creates Kerberos keytab files that contains the shared secret key of the service. Syntax used for Ksetup command is given below.

Syntax

ktpass
[/out <FileName>] 
[/princ <PrincipalName>] 
[/mapuser <UserAccount>] 
[/mapop {add|set}] [{-|+}desonly] [/in <FileName>]
[/pass {Password|*|{-|+}rndpass}]
[/minpass]
[/maxpass]
[/crypto {DES-CBC-CRC|DES-CBC-MD5|RC4-HMAC-NT|AES256-SHA1|AES128-SHA1|All}]
[/itercount]
[/ptype {KRB5_NT_PRINCIPAL|KRB5_NT_SRV_INST|KRB5_NT_SRV_HST}]
[/kvno <KeyVersionNum>]
[/answer {-|+}]
[/target]
[/rawsalt] [{-|+}dumpsalt] [{-|+}setupn] [{-|+}setpass <Password>]  [/?|/h|/help]

Parameters

Parameter Description
/out <Filename> Specifies the name of the keytable file to be generated.
/princ <Principal Name> Specifies the principal name in the format  host/[email protected]
/mapuser <User Account> Map the name of a Kerberos principal to a local account.
/mapop {add|set} Defines how the mapping attribute is set. The default is to add and Set sets the value for Data Encryption Standard (DES)-only encryption for the specified local user name.
{-|+}desonly  Sets(+) or releases (-) an account for DES-only encryption.
/in <Filename> The name of an existing keytab file to read from a host computer that is not running the Windows operating system.
/pass {Password|*|{-|+}rndpass Defines a a password for the principal user name. Use "*" to prompt for a password.
/minpass Sets the minimum length of random password  up to 15 characters.
/maxpass Sets the maximum length of random password  up to 256 characters.
/crypto {DES-CBC-CRC|DES-CBC-MD5|RC4-HMAC-NT|AES256-SHA1|AES128-SHA1|All} Sets the encryption type. By default DES-CBC-CRC is used.
/itercount Iteration count that is used for AES encryption.
/ptype {KRB5_NT_PRINCIPAL|KRB5_NT_SRV_INST|KRB5_NT_SRV_HST} Sets the principal type
  • KRB5_NT_PRINCIPAL general principal type.
  • KRB5_NT_SRV_INST User service instance.
  • KRB5_NT_SRV_HST host service instance.
/kvno <KeyVersionNum> The key version number (the default is 1).
/answer {-|+} Sets background answer mode.
/target Defines the domain controller to be used.
/raw salt Forces Ktpass to use the raw salt algorithm when generating the key.
{-|+}dump salt Shows the MIT salt algorithm that is being used to generate the key.
{-|+}setupn Sets the user principal name (UPN) in addition to the service principal name (SPN)
{-|+}setpass <Password> Defines the user password

Ask Your Question 

Got a programming related question? You may want to post your question here 

 

Categories

More Articles

© 2020 DotNetHeaven. All rights reserved.