0

I'm trying to create the keytab for a service account, it worked just fine few days ago, when I came back and run it I've gotten an warning message and I want to know what is the cause and how to solve it:

ktpass  -princ  http/contoso1.com@abc.com `
        -mapuser u985test `
        -crypto AES256-SHA1 `
        -ptype KRB5_NT_PRINCIPAL `
        -pass P4ssw0rd234 `
        -out $keytabFile

and I got

WARNING: The Key version used by Windows (277) is too big
to be encoded in a keytab without truncating it to 21.
This is due to a limitation of the keytab file format
and may lead to interoperability issues.
Do you want to proceed and truncate the version number
Ender
  • 604
  • 3
  • 9
  • 13

2 Answers2

1

The key version number (KVNO) is basically incremented when the password changes and helps catch out of sync data when they don't match. The file format your exporting to limits it to one byte so the higher bits are ignored when exported to. It should not cause a problem as data from 256 password changes ago should be long gone but might cause a problem in edge cases hence the warning. 

277 = ‭0001 0001 0101‬
21  =      0001 0101

Some reference info: https://blogs.msdn.microsoft.com/openspecification/2009/11/13/to-kvno-or-not-to-kvno-what-is-the-version/

Brian
  • 3,386
  • 17
  • 16
  • Tks for the answer. I got some but may you explain more about the cause?. I'm new and quite confused – Ender Jun 25 '18 at 12:09
0

Thanks to @Brian answer, I've figured it out. I should justify the -kvno parameter

ktpass  -princ  http/contoso1.com@abc.com `
        -mapuser u985test `
        -crypto AES256-SHA1 `
        -ptype KRB5_NT_PRINCIPAL `
        -kvno 1 `
        -pass P4ssw0rd234 `
        -out $keytabFile

Problem solved!

Ender
  • 604
  • 3
  • 9
  • 13