There are two ways to utilize Kerberos authentication: Kerberos ticket cache and Kerberos keytab. Windows has a limited set of tools to create a keytab file. There are a couple of tools for this purpose. One tool is the Windows Server built-in utility ktpass. It can be only run on a Windows Server. Another tool is ktab which can be used on any Windows computer. ktab tool is a part of Java installation.

1. ktpass

There are some restrict requirements to run the tool. It must be run on either a member server or a domain controller of the Active Directory domain. Windows Server operating system such as Windows Server 2008, 2012, or 2016 are supported. When running ktpass.exe, Windows Command Prompt must be run with Run as administrator option.

ktpass -princ [Windows user name]@[Realm name] -pass [Password] -crypto [Encryption type] -ptype [Principle type] -kvno [Key version number] -out [Keytab file path]
  • [Windows user name] - mywindowsname.
  • [Real name] - SAMPLE.COM.
  • [Password] - mywindowsname user password.
  • [Encryption type] - RC4-HMAC-NT. See RFC 3961, section 8.
  • [Principle type] - KRB5_NT_PRINCIPAL which is Kerberos protocol 5.
  • [Key version number] - 0.
  • [Keytab file path] - c:\kerberos\keytabname.keytab.

2. ktab

It requests to install Java JRE or SDK or open source equivalent, for example, OpenJDK. The tool has a limited set of options.

It can't be defined encryption and principle types. It will be used Kerberos protocol 5 and it will be created multiple encryption types.

ktab -a [Windows user name]@[Realm name] [Password] -n [Key version number] -k [Keytab file path]

List all encryption types stored in a keytab file

ktab -l -e -k [Keytab file path]

If multiple encryption types are not accepted in authentication process, it can be left one encryption type and the rest can be deleted.

ktab -d [Windows user name]@[Realm name] -f -e [Number of encryption type] -k [Keytab file path]
  • [Number of encryption type] - 16. As per RFC 3961, section 8.

3. Usage Samples

3.1. DBeaver connection to Hive with Kerberos Authentication

It can be created multiple encryption types in a keytab file.

  • Create a keytab file

    ktab -a mywindowsname@SAMPLE.COM mypassword -n 0 -k c:\kerberos\mywindowsname.keytab
    
    Done!
    Service key for mywindowsname@SAMPLE.COM is saved in c:\kerberos\mywindowsname.keytab
    
  • List content of the keytab file

    ktab -l -e -k c:\kerberos\mywindowsname.keytab
    
    Keytab name: c:\kerberos\mywindowsname.keytab
    KVNO Principal
    ---- ---------------------------------------------------------------
       0 mywindowsname@SAMPLE.COM (18:AES256 CTS mode with HMAC SHA1-96)
       0 mywindowsname@SAMPLE.COM (17:AES128 CTS mode with HMAC SHA1-96)
       0 mywindowsname@SAMPLE.COM (16:DES3 CBC mode with SHA1-KD)
       0 mywindowsname@SAMPLE.COM (23:RC4 with HMAC)
    

3.2. Talend tHDFSConnection Component with Kerberos Authentication

It should be one encryption type in a keytab file, for example, 23.

  • Create a keytab file

    ktab -a mywindowsname@SAMPLE.COM mypassword -n 0 -k c:\kerberos\mywindowsname.keytab
    
    Done!
    Service key for mywindowsname@SAMPLE.COM is saved in c:\kerberos\mywindowsname.keytab
    
  • List content of the keytab file

    ktab -l -e -k c:\kerberos\mywindowsname.keytab
    
    Keytab name: c:\kerberos\mywindowsname.keytab
    KVNO Principal
    ---- ---------------------------------------------------------------
       0 mywindowsname@SAMPLE.COM (18:AES256 CTS mode with HMAC SHA1-96)
       0 mywindowsname@SAMPLE.COM (17:AES128 CTS mode with HMAC SHA1-96)
       0 mywindowsname@SAMPLE.COM (16:DES3 CBC mode with SHA1-KD)
       0 mywindowsname@SAMPLE.COM (23:RC4 with HMAC)
    
  • Delete unused encryption types ## 16-18

    ktab -d mywindowsname@SAMPLE.COM -f -e 16 -k c:\kerberos\mywindowsname.keytab
    
    Done! 1 entries removed.
    
    ktab -d mywindowsname@SAMPLE.COM -f -e 17 -k c:\kerberos\mywindowsname.keytab
    
    Done! 1 entries removed.
    
    ktab -d mywindowsname@SAMPLE.COM -f -e 18 -k c:\kerberos\mywindowsname.keytab
    
    Done! 1 entries removed.
    
  • List content of the keytab file again

    ktab -l -e -k c:\kerberos\mywindowsname.keytab
    
    Keytab name: c:\kerberos\mywindowsname.keytab
    KVNO Principal
    ---- ---------------------------------------------------------------
       0 mywindowsname@SAMPLE.COM (23:RC4 with HMAC)
    

3.3. Windows

It depends on Windows account settings how many encryption types and what types can be used.

Windows account properties dialog contains the next options for Kerberos authentication.

Windows account properties Kerberos authentication options

4. Encryption types

As per RFC 3961, section 8.

Encryption TypeCodeSection or Comment
des-cbc-crc16.2.3
des-cbc-md426.2.2
des-cbc-md536.2.1
[reserved]4
des3-cbc-md55
[reserved]6
des3-cbc-sha17
dsaWithSHA1-CmsOID9(pkinit)
md5WithRSAEncryption-CmsOID10(pkinit)
sha1WithRSAEncryption-CmsOID 11(pkinit)
rc2CBC-EnvOID12(pkinit)
rsaEncryption-EnvOID13(pkinit from PKCS#1 v1.5)
rsaES-OAEP-ENV-OID14(pkinit from PKCS#1 v2.0)
des-ede3-cbc-Env-OID15(pkinit)
des3-cbc-sha1-kd166.3
aes128-cts-hmac-sha1-9617[KRB5-AES]
aes256-cts-hmac-sha1-9618[KRB5-AES]
rc4-hmac23(Microsoft)
rc4-hmac-exp24(Microsoft)
subkey-keymaterial65(opaque; PacketCable)



Comments

comments powered by Disqus