I just have a little question about the ktpass command.
I have a user my-test-user
with a password myPassword!
. I can log in with this account via the username and the password.
But when I use the following command to generate a keytab file, I just can log in with the keytab file (kinit for example).
ktpass /out test.keytab /princ HTTP/test.example.com@MY.REALM /pass * /mapuser my-test-user@MY.REALM /ptype KRB5_NT_PRINCIPAL /crypto RC4-HMAC-NT
If I try to connect with the username/password, the badPwdCount property is incremented.
My question is : is the ktpass command disable password authentication?
Many thanks.
Short answer: no.
The /pass *
option means prompt for password. The /mapuser
option means to lookup details in AD. If the value passed in via /pass
doesn't match what's stored in AD the /mapuser
call will set the password in AD to whatever is passed in.
What build of Windows are you running this on? The build of ktpass that shipped in Windows 2012 has a bug in the /pass
parameter handling that appends the enter key escape character into the string sent to AD, so it resets it incorrectly. This was fixed in later OSes.