View on GitHub

Create-KeyTab

Create KeyTab PowerShell Script

Create KeyTab Project

Create A KeyTab File Using PowerShell

This scipt will generate off-line keytab files for use with Active Directory (AD). While the script is designed to work independently of AD, this script can be used with a wrapper script that uses Get-ADUser or Get-ADObject to retrieve the UPN of a samaccountname or a list of samaccountnames for use in batch processing of KeyTab creation.

The script is an alternative to ktpass. It offers the benefit of running on any server or workstation with PowerShell. The script allows the delegation of KeyTab file creation to individuals who are not domain admins. As long as the account has a UPN and the user/group creating KeyTab files are able to read the UPN and have knowledge of the password they can successfully create a working KeyTab file.

Note: The SALT for AES must be at least 8 bytes. If the upn@domain.com (upnDOMAIN.COM) is less than 8 characters without the @, you will be restricted to RC4 with this script or increase the length of the principal.

Requirements

  • Windows 10/2016 System (PowerShell Version 5.1.16299.1146). Earlier versions may work.
  • The UPN used to generate the KeyTab must match with the one used in AD.
  • The primary/principal part of the UPN is case sensitive.
  • The REALM is always hashed using upper case.

Examples

Create a KeyTab file with parameters.

PS D:\Temp> .\Create-KeyTab.ps1 -AES128 -AES256 -Realm DEV.HOME -Principal http/AppService

Create a KeyTab without parameters.

PS D:\Temp> .\Create-KeyTab.ps1

Deafult encryption is AES-256.

When creating a keytab with AES the SALT the primary/principal part of the UPN is case sensitive. The realm portion is hashed uppercase, even if is not uppercase in the UPN attribute. The script forces the realm to uppercase

Optional Parameters

-SALT :Use a custom SALT
-File :KeyTab File Path. Default = CurrentDirectory\login.keytab
-KVNO :Default = 1. Exceeding 255 will wrap the KVNO. THe 32bit KVNO field is not implimented.
-PType :Default = KRB5_NT_PRINCIPAL
-RC4 :Generate RC4 Key
-AES128 :Generate AES128 Key
-AES256 :Generate AES256 Key
-Append :Append Key Data to an existing KeyTab file.
-Quiet :Suppress Text Output
-NoPrompt :Suppress Write KeyTab File Prompt
From MS-KILE 3.1.1.2 Cryptographic Material

KILE concatenates the following information to use as the key salt for principals:

  • User accounts: \< DNS of the realm, converted to upper case\> | \<user name\>
  • Computer accounts: \< DNS name of the realm, converted to upper case \> | "host" | \< computer name, converted to lower case with trailing "$" stripped off \> | "." | \< DNS name of the realm, converted to lower case \>