Hello everyone !
Yesterday i got a task to create a service account for SSO on our WebServer.
1)Firstly i create AD user account and set the following names and pasword:
Samaccountname: TESTO1
UserPrincipalName: HTTP/TESTO1.MYDOMAIN.COM@MYDOMAIN.COM
Password: Qwerty123
2)Then i sucssefully logged in with this username and password.
3) Then i open elevated command prompt on my first dc (DC01) to create Keytab file and map spn to TESTO1 user account.
I enter the following command in CMD
ktpass /ptype KRB5_NT_PRINCIPAL /mapuser TESTO1 /princ HTTP/TESTO1.MYDOMAIN.COM@MYDOMAIN.COM /pass Qwerty123 /out sd2.keytab /target MYDOMAIN.COM
and revieve this result:
Successfully mapped HTTP/TESTO1.MYDOMAIN.COM to TESTO1.
Password succesfully set!
Key created.
Output keytab to sd2.keytab:
Keytab version: 0x502
keysize 33 @(null) ptype 0 (KRB5_NT_UNKNOWN) vno 0 etype 0x0 (None) keylength 16
(0x001b1e00c40018004800420043002e00)
File generated by this command doesn't work.
But if try to input this command on another dc's (DC02 or DC03) file completely generated and i can use it on web server.
Result from another dc's:
Successfully mapped HTTP/TESTO1.MYDOMAIN.COM to TESTO1.
Password succesfully set!
Key created.
Output keytab to sd2.keytab:
Keytab version: 0x502
keysize 60 HTTP/TESTO1.MYDOMAIN.COM@MYDOMAIN.COM ptype 1 (KRB5_NT_PRINCIPAL) vno 11 etype 0x
17 (RC4-HMAC) keylength 16 (0x2ed6a93e86465cd6fc5183197a959e5d)
Any suggestion what cause of problem it can be and how to troubleshoot it ? All other services on my dc is fine, dcdiag is passed all tests (except systemlog).