Kerberos requires the use of shared secrets to validate tickets. These secrets need to be stored somewhere. Windows stores them in the registry — the Security hive specifically. Other platforms store them in keytab files.

Keytab files are useful because they’re a well known construct and are supported by many platforms. What’s interesting about them is that they store the derived value used to encrypt the ticket, and not the real secret. This means you don’t need to worry about how the salt is derived, and can just use the value without having to know how to manipulate the underlying key to match. In other words, you don’t need to worry about Active Directory being out of spec.

It turns out the format is actually pretty simple.

entry ::=
    principal
    timestamp (32 bits)
    key version (8 bits)
    enctype (16 bits)
    key length (32 bits)
    key contents

principal ::=
    count of components (32 bits) [includes realm in version 1]
    realm (data)
    component1 (data)
    component2 (data)
    ...
    name type (32 bits) [omitted in version 1]

data ::=
    length (16 bits)
    value (length bytes)

It’s just a list of entries that map out realm, principal name, encryption type, and key value. It was a simple enough format that it was added to Kerberos.NET and is now natively supported.

Of course, one of the primary motivations for adding it is because Microsoft supports generation of keytab files from Active Directory (sorta).

There’s a tool in the Remote Server Administration Tools (RSAT) package that generates keytab files for interoperability with other platforms and it uses the Active Directory salt method. To generate a file you run this command:

ktpass 
   /princ HTTP/test.identityintervention.com@IDENTITYINTERVENTION.COM 
   /mapuser IDENTITYINTER\server01$ 
   /pass P@ssw0rd! 
   /out sample.keytab 
   /crypto all 
   /ptype KRB5_NT_SRV_INST 
   /mapop set

The documentation for the ktpass tool is really well (surprisingly well?) documented, but there are only a few key parameters that need to be set.


ParameterDescription
/princThe SPN of the application.
/mapuserThe samAccountName of the identity in Active Directory.
/passThe password that will be used — note that the tool will set the mapuser identity password to this value in Active Directory.
/cryptoThe list of encryption algorithms that will have entries generated.
/ptypeThe type of principal.

Using the above sample as a template will generate a keytab file that is compatible with Kerberos.NET.

Join the conversation