Log in Register

Log in

Ktpass command - Syntax, Switches, Options and Examples

Ktpass command - Syntax, Switches, Options and Examples Hot

0.0 (0)
1330   0   0   0   0  
Write Review

Use of Ktpass command:

Ktpass used to Configures the server principal name for the host or service in Active Directory Domain Services (AD DS) and generates a .keytab file that contains the shared secret key of the service.


Ktpass command Syntax:


[/out ] 

[/princ ] 

[/mapuser ] 

[/mapop {add|set}] [{-|+}desonly] [/in ]

[/pass {Password|*|{-|+}rndpass}]






[/kvno ]

[/answer {-|+}]


[/rawsalt] [{-|+}dumpsalt] [{-|+}setupn] [{-|+}setpass ]  [/?|/h|/help] 


Ktpass command Switches:

/out -> Specifies the name of the Kerberos version 5 .keytab file to generate.

/princ -> Specifies the principal name in the form host.

/mapuser -> Maps the name of the Kerberos principal, which is specified by the princ parameter, to the specified domain account.

/mapop {add|set} -> Specifies how the mapping attribute is set.

{-|+}desonly -> DES-only encryption is set by default.

/in -> Specifies the .keytab file to read from a host computer that is not running the Windows operating system.

/pass {Password|*|{-|+}rndpass} -> Specifies a password for the principal user name that is specified by the princ parameter.Use "*" to prompt for a password.

/minpass -> Sets the minimum length of the random password to 15 characters.

/maxpass -> Sets the maximum length of the random password to 256 characters.

/crypto {DES-CBC-CRC|DES-CBC-MD5|RC4-HMAC-NT|AES256-SHA1|AES128-SHA1|All} -> Specifies the keys that are generated in the keytab file:

 DES-CBC-CRC is used for compatibility.

 DES-CBC-MD5 adheres more closely to the MIT implementation and is used for compatibility.

 RC4-HMAC-NT employs 128-bit encryption.

 AES256-SHA1 employs AES256-CTS-HMAC-SHA1-96 encryption.

 AES128-SHA1 employs AES128-CTS-HMAC-SHA1-96 encryption.

 All states that all supported cryptographic types can be used.

/itercount -> Specifies the iteration count that is used for AES encryption.The default is that itercount is ignored for non-AES encryption and set at 4,096 for AES encryption.

/ptype {KRB5_NT_PRINCIPAL|KRB5_NT_SRV_INST|KRB5_NT_SRV_HST -> Specifies the principal type.

 KRB5_NT_PRINCIPAL is the general principal type (recommended).

 KRB5_NT_SRV_INST is the user service instance.

 KRB5_NT_SRV_HST is the host service instance.

/kvno -> Specifies the key version number.The default value is 1.

/answer {-|+} -> Sets the background answer mode:

 - Answers reset password prompts automatically with NO.

 + Answers reset password prompts automatically with YES.

/target -> Sets which domain controller to use.The default is for the domain controller to be detected, based on the principal name.If the domain controller name does not resolve, a dialog box will prompt for a valid domain controller.

/rawsalt -> Forces Ktpass to use the rawsalt algorithm when generating the key.This parameter is not needed.

{-|+}dumpsalt -> The output of this parameter shows the MIT salt algorithm that is being used to generate the key.

{-|+}setupn -> Sets the user principal name (UPN) in addition to the service principal name (SPN).The default is to set both in the .keytab file.

{-|+}setpass -> Sets the user's password when supplied.If rndpass is used, a random password is generated instead.

/?|/h|/help -> Displays command-line Help for Ktpass.


Ktpass command Example:

Use Ktpass to set up an identity mapping for the user account by typing the following at a command prompt, type:

ktpass /princ host/ This email address is being protected from spambots. You need JavaScript enabled to view it.  /mapuser Sample1 /pass MyPas$w0rd /out Sample1.keytab /crypto all /ptype KRB5_NT_PRINCIPAL /mapop set

User reviews

There are no user reviews for this listing.
Already have an account? or Create an account