7

I've registred a SPN, now I want to try to get a ticket for it. I know there is linux kvno to do that is there an analog on windows?

MaxNevermind
  • 237

4 Answers4

5

The windows equivalent to kinit for realm CORP.CONTOSO.COM is:

  1. Add the SAMAccountName as the user credentials for the realm in Control Panel > User Accounts > Credential Manager > Windows Credentials
    Image of credential manager
    Note 1: you must use the realm exactly. You cannot use the domain name or a UPN. E.g.: CORP.CONTOSO.COM\jsmith is fine, but CORP\jsmith and john@contoso.com will fail.
    Note 2: This can alternately be done using cmdkey /add:*.CORP.CONTOSO.COM /user:CORP.CONTOSO.COM\jsmith /pass
    Note 3: These saved credentials are retained indefinitely in your roaming profile. Remove them afterwards if this is not desired.
  2. Make the connection to the service (using ssh, CIFS, RDP/TERMSERV, etc…) and verify a service ticket was created using klist. Alternately you can request a ticket explicitly using klist get SPN (e.g.: for CIFS on dc1 with klist get cifs/dc1.CORP.CONTOSO.COM)

Alternately, you can use runas for temporary connections (avoiding saved creds in credential manager):

  1. Use runas /netonly /user:CORP.CONTOSO.COM\jsmith cmd to start cmd with a new access token
  2. Make the connection to the service and verify kerberos auth succeeded with klist

Related:

Mitch
  • 1,215
3

In Linux you can use "kinit" to verify specified SPN. This tool creates a Kerberos AS-ticket and stores it in a cache. Because of security reasons, this cache is meant to be used by operating system components.

To have kinit in Windows I install latest Java JDK (http://www.oracle.com/technetwork/java/javase/downloads/index.html).
Syntax: kinit <SPN>. Application will ask you for the password. If you'd enter correct password, you'll have AS-ticket created and stored in Kerberos cache.

Then you may list content of Kerberos cache, using klist -c.

Solal Pirelli
  • 103
green marker
  • 236
2

Try klist get SPN as per Microsoft’s klist documentation.

Markus Kuhn
  • 201
  • 1
  • 7
1

Kerberos tickets can be generated using ktpass aswell. On windows prompt (Assumed KDC is installed)

ktpass -out <file>.keytab -mapuser <username>@REALM-IN-CAPS  -pass <of-user>  -crypto all  -ptype KRB5_NT_PRINCIPAL  -princ spn-of-user@REALM-IN-CAPS

This will generate *.keytab in current working directory.

DavidPostill
  • 162,382
Amit Singh
  • 11