Advertisement
ILyaCyclone

Untitled

Aug 7th, 2017
299
0
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 3.19 KB | None | 0 0
  1. 1. setspn -D HTTP/tomcatserver.global.lpl.top tomcatuser
  2. Updated object
  3.  
  4. 2. setspn -l tomcatuser
  5. list empty
  6.  
  7. 3. ktpass /out c:\tomcat2.keytab /mapuser tomcatuser@GLOBAL.LPL.TOP /mapOp set /princ HTTP/tomcatserver.global.lpl.top@GLOBAL.LPL.TOP /pass tomcatuserpassword /ptype KRB5_NT_PRINCIPAL /crypto AES256-SHA1
  8.  
  9. Targeting domain controller: cdc.global.lpl.top
  10. Successfully mapped HTTP/tomcatserver.global.lpl.top to tomcatuser.
  11. Password successfully set!
  12. Key created.
  13. Output keytab to : c:\tomcat2.keytab:
  14. Keytab version: 0x502
  15. keysize 96 HTTP/tomcatserver.global.lpl.top@GLOBAL.LPL.TOP ptype 1 (KRB5_NT_PRINCIPAL) vno 6 etype 0x12 (AES256-SHA1) keylength 32 (0x0a976...bd7)
  16.  
  17. 4. setspn -l tomcatuser
  18. Registered ServicePrincipalNames for CN=tomcatuser,OU=Services,OU=Accounts,OU=...,OU=Delegated,DC=global,DC=lpl,DC=top: HTTP/tomcatserver.global.lpl.top
  19.  
  20. 5. jdk1.7.0_79\bin> klist -k -t C:\tomcat2.keytab
  21.  
  22. Key tab: C:\tomcat2.keytab, 1 entry found.
  23.  
  24. [1] Service principal: HTTP/tomcatserver.global.lpl.top@GLOBAL.LPL.TOP
  25. KVNO: 6
  26. Time stamp: Jan 01, 1970 03:00
  27.  
  28. 6. tomcatuser AD account properties shows User Logon Name "HTTP/tomcatserver.global.lpl.top" followed by "@global.lpl.top" value in dropdown list.
  29. 128 and 256 ecnryption are checked.
  30.  
  31. 7. jdk1.7.0_79\bin>kinit tomcatuser tomcatuserpassword
  32. empty reply
  33.  
  34. 8. jdk1.7.0_79\bin>kinit HTTP/tomcatserver.global.lpl.top@GLOBAL.LPL.TOP -k -t C:\tomcat2.keytab
  35. Exception: krb_error 0 Do not have keys of types listed in default_tkt_enctypes
  36. available; only have keys of following type: No error
  37. KrbException: Do not have keys of types listed in default_tkt_enctypes available
  38. ; only have keys of following type:
  39. at sun.security.krb5.internal.crypto.EType.getDefaults(EType.java:273)
  40. at sun.security.krb5.KrbAsReqBuilder.build(KrbAsReqBuilder.java:264)
  41. at sun.security.krb5.KrbAsReqBuilder.send(KrbAsReqBuilder.java:318)
  42. at sun.security.krb5.KrbAsReqBuilder.action(KrbAsReqBuilder.java:364)
  43. at sun.security.krb5.internal.tools.Kinit.<init>(Kinit.java:221)
  44. at sun.security.krb5.internal.tools.Kinit.main(Kinit.java:113)
  45.  
  46. 9. Noticed that kinit doesn't really seem to care about my C:\Windows\krb5.ini (I even tried deleting it) nor actual command values:
  47. jdk1.7.0_79\bin>kinit nosuchuser -k -t c:\nosuchfile.keytab
  48. Exception: krb_error 0 Do not have keys of types listed in default_tkt_enctypes
  49. available; ...
  50.  
  51. 10. jdk1.7.0_79\bin>ktab -l -e -t -k C:\tomcat2.keytab
  52. Keytab name: C:\tomcat2.keytab
  53. KVNO Timestamp Principal
  54.  
  55. ---- ------------- -------------------------------------------------------------
  56. -----------------------
  57. 6 01.01.70 3:00 HTTP/tomcatserver.global.lpl.top@GLOBAL.LPL.TOP (18:AES256 CTS
  58. mode with HMAC SHA1-96)
  59.  
  60. Addendum
  61. C:\Windows\krb5.ini:
  62. [libdefaults]
  63. default_realm = GLOBAL.LPL.TOP
  64. default_keytab_name = FILE:C:\tomcat2.keytab
  65. default_tkt_enctypes = rc4-hmac,aes256-cts-hmac-sha1-96,aes128-cts-hmac-sha1-96
  66. default_tgs_enctypes = rc4-hmac,aes256-cts-hmac-sha1-96,aes128-cts-hmac-sha1-96
  67. forwardable=true
  68.  
  69. [realms]
  70. GLOBAL.LPL.TOP = {
  71. kdc = cdc.global.lpl.top:88
  72. }
  73.  
  74. [domain_realm]
  75. global.lpl.top=GLOBAL.LPL.TOP
  76. .global.lpl.top=GLOBAL.LPL.TOP
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement