When creating a user account in Active Directory, using the DHCP/FQDN format for the User logon name property automatically maps the service principal name to the user account being created.
However, if you don't use the proper service principal name format, you will need to map the service principal name to the account created manually.
The ktpass command configures the service principal name for the host or DHCP service in Active Directory and generates a .keytab file that contains the shared secret key of the service. If you run the ktpass command to map the service principal, make a note of the vno value that's in the output of the ktpass command. This value will be used later in Defining a DHCP service principal.
To map the service principal name by running the ktpass command:
- Execute the following ktpass command to create a mapping between the DHCP Server
and Windows users to access the Kerberos
C:\> ktpass -princ DHCP/dhcp1.bcn.com@BCN.COM -mapuser adonis_dhcp1@BCN.COM -ptype KRB5_NT_PRINCIPAL -crypto AES128-SHA1 -pass password -out dhcp1.bcn.com.keytab
- -princ—the principal name in the form of user@REALM
- -mapuser—maps the name of the principal to the local user account
- -ptype—the principal type in use
- -crypto—sets the encryption type to use
- -pass—the password of the local user account (when prompted for password, enter the password used to create the Kerberos user in Windows
- -out—the name for the generated keytab fileNote:
- The vno value will increase by 1 whenever the ktpass command is run again.
- ktpass is included with Windows 2008 R2. If running Windows 2003, ktpass must be downloaded from Microsoft.
C:\> ktpass -princ DHCP/dhcp1.bcn.com@BCN.COM -mapuser adonis_dhcp1@BCN.COM -ptype
KRB5_NT_PRINCIPAL -crypto AES128-SHA1 -pass password -out dhcp1.bcn.com.keytab
Targeting domain controller: windows-dc.bcn.com
Using legacy password setting method
Successfully mapped DHCP/dhcp1.bcn.com to dhcp1.
Output keytab to dhcp1.bcn.com.keytab
Keytab version: 0x502
keysize 81 DHCP/dhcp1.bcn.com@BCN.COM ptype 1 (KRB5_NT_PRINCIPAL) vno 2 etype 0x12
(AES128-SHA1) keylength 32