Technical Tip: Unable to regenerate a keytab file

KC_Hing · ‎11-05-2024

Description

This article describes how to fix keytab file regeneration errors when using the same Kerberos service account and principal name.

C:\>ktpass -princ HTTP/fpx.fortilab.local@fortilab.local -mapuser fpx -pass <password> -crypto all -ptype KRB5_NT_PRINCIPAL -out fpx.keytab
Targeting domain controller: DC.fortilab.local
Failed to retrieve values for property ?????????: 0x10.
Failed to set property 'servicePrincipalName' to 'HTTP/fpx.fortilab.local' on Dn 'CN=FPX,CN=Users,DC=fortilab,DC=local': 0x32.
WARNING: Unable to set SPN mapping data.
If FPX already has an SPN mapping installed for HTTP/fpx.fortilab.local, this is no cause for concern.
Failed to retrieve user info for FPX: 0x5.
Aborted.

Scope

FortiProxy.

Solution

Run setspn command on the AD server to unregister the existing SPN record.

C:\>setspn -D HTTP/fpx.fortilab.local@fortilab.local fpx
Unregistering ServicePrincipalNames for CN=FPX,CN=Users,DC=fortilab,DC=local
HTTP/fpx.fortilab.local@fortilab.local
Updated object

Use ktpass command to regenerate a Kerberos keytab file after unregistering the SPN record.

C:\>ktpass -princ HTTP/fpx.fortilab.local@fortilab.local -mapuser fpx -pass <password> -crypto all -ptype KRB5_NT_PRINCIPAL -out fpx.keytab
Targeting domain controller: winsvr16.fortilab.local
Successfully mapped HTTP/fpx.fortilab.local to FPX.
Password successfully set!
Key created.
Key created.
Key created.
Key created.
Key created.
Output keytab to fpx.keytab:
Keytab version: 0x502
keysize 65 HTTP/fpx.fortilab.local@fortilab.local ptype 1 (KRB5_NT_PRINCIPAL) vno 8 etype 0x1 (DES-CBC-CRC) keylength 8 (0xd3fb58b607491c7a)
keysize 65 HTTP/fpx.fortilab.local@fortilab.local ptype 1 (KRB5_NT_PRINCIPAL) vno 8 etype 0x3 (DES-CBC-MD5) keylength 8 (0xd3fb58b607491c7a)
keysize 73 HTTP/fpx.fortilab.local@fortilab.local ptype 1 (KRB5_NT_PRINCIPAL) vno 8 etype 0x17 (RC4-HMAC) keylength 16 (0x5fbc3d5fec8206a30f4b6c473d68ae76)
keysize 89 HTTP/fpx.fortilab.local@fortilab.local ptype 1 (KRB5_NT_PRINCIPAL) vno 8 etype 0x12 (AES256-SHA1) keylength 32 (0x790940a03ceb0276aaaaeac72bf1b83cef20d7a000433f9ed6f224c3be57d6c8)
keysize 73 HTTP/fpx.fortilab.local@fortilab.local ptype 1 (KRB5_NT_PRINCIPAL) vno 8 etype 0x11 (AES128-SHA1) keylength 16 (0x5ccbd0bfc4c736a2d55e150862d55f71)

To encode the keytab file in base64 format.

C:\>certutil -encode fpx.keytab tmp.b64 && findstr /v /c:- tmp.b64 > fpx.txt
Input Length = 387
Output Length = 590
CertUtil: -encode command completed successfully.

Configure FortiProxy to use the new keytab file for Kerberos ticket decryption.

config user krb-keytab
edit "keytab1"
set principal "HTTP/fpx.fortilab.local@fortilab.local"
set ldap-server "Adserver"
set keytab "ENC CNYDU0NQ60EGK5OtVR//j4FFo/qigbJG6oeWfo7BIU8ffxsesLsBzwJrTWMgsy5BV2tVNOytWI41Kje4LAxogA3LXIwgU4/aXemy0yoNNtim2Hbrha1LoOyE3RNLWg6i383AmHedsvLTf0gs1QlHTkzfdKWwR8mWZY2tWp07d1lc+dZTnEhmmxAjKp152hEd2cyFtlnB8DJTFH/ZXI6WGa9R3TftvE95s3uZSDZNtI71g1x/UNuJeuM1u+2/3k7XWexrpGWS7v8Lex/MEw2AmfxKKVF7z0Q9k4p523l4SsHxpXL3YRnuYM2+RJoRyqJgzvZvFfwgJDUI8a+kkA1qhZ8tDWYLglthYTCvLeTmCY90Fx4fuJKoKVixxP1hIRTqupnmipwVLkUHQGX93j67PNnDoXCbKFJH3d17ykd44/neGJkiYIqU9rKl6duFExSyBgCfMh4u3w4E4F5fJIegNnNglHTPNNdsK/ig7t4AJEPh/OOcmkF2SAdTWVjYyMH+lNWkdGF9+Xj7ICDRw0ioYLq1avwi4Pemq/6FbBSRjHHeFcgpvAzjxHp4zb7Pnv99hWDsWZrRFy64ZPNXv+7OMmjhxOswJqs4R3/xPa8vLYC9DkKSf2/ya+w7A6oSLJDop3lSdj1251GuRlEofaNIzBX3T94Og15ICy3chjZvR7bJzGqyBwPN3H0epavwYcOExCYTVg=="
next
end

Technical Tip: Unable to regenerate a keytab file

You are leaving our website