UAC and ktpass.exe

User Account Control (UAC) is a feature new to Windows Vista and Windows Server 2008 that is designed to help protect Windows-based systems against processes running with administrative permissions.  It’s a great idea, but the implementation is, in my humble opinion, a bit flawed.

Here’s a great example.  In working on interoperability and integration documentation for Windows Server 2008, I came across a problem that prevents you from using Samba to join Linux or UNIX systems to Active Directory for the purpose of centralizing authentication to those systems (more information available in this article).  OK, no big deal; we’ve done it before with ktpass.exe, right?  We’ll just drop back to using ktpass.exe and do it “old school”.

Here’s the output from ktpass.exe when running on a Windows Server 2008-based server with UAC enabled:

C:\>ktpass.exe -princ HOST/[email protected]
-mapuser ADNG\VSXSOLTEST01$ -crypto all -pass Password123
-ptype KRB5_NT_PRINCIPAL -out c:\vsxsoltest01.keytab
 
Targeting domain controller: vswdcng02.adng.vmwarelab.net
 
Using legacy password setting method
 
Failed to set property “servicePrincipalName” to
“HOST/vsxsoltest01.vmwarelab.net” on Dn
“CN=VSXSOLTEST01,CN=Computers,DC=adng,DC=vmwarelab,DC=net”: 0x32.
 
WARNING: Unable to set SPN mapping data.
 
If VSXSOLTEST01$ already has an SPN mapping installed for
HOST/vsxsoltest01.vmwarelab.net, this is no cause for concern.
 
WARNING: Account VSXSOLTEST01$ is not a user account (uacflags=0x1021).
 
WARNING: Resetting VSXSOLTEST01$'s password may cause
authentication problems if VSXSOLTEST01$ is being used as a server.
 
 
Reset VSXSOLTEST01$'s password [y/n]? y
 
Aborted.

This is running as an account that is not the built-in Administrator account, but is a member of Domain Admins, Schema Admins, Enterprise Admins, and the built-in Administrators group.

Take that same command and run it on the same server after disabling UAC, and it runs just fine.  No errors, no warnings, no problems.  Clearly, UAC is interfering with ktpass.exe.

If you have a need to integrate Linux and/or UNIX systems into Active Directory for authentication, keep this in mind:  you’ll need to disable UAC (and reboot the server) before you can use ktpass.exe to map service principals onto accounts.

Tags: , , ,

10 comments

  1. Ian’s avatar

    Scott,
    Excellent blog! I’m a CLI kind of guy myself, and this UAC limitation perpetually ticked me off as well. However, I found out that you can get a CLI shell with admin rights, but you need to use the GUI to get it. Click the start button, then SHIFT-Rclick the “Command prompt” icon. It should give you a “Run as Administrator” option. When you select that, you’ll get the UAC prompt, but once you OK that, you’ll get a CLI that runs as the built-in Administrator account. It’s the only way I’ve seen so far on a Vista box to get a privledged CLI.

    V/R,
    Ian

  2. slowe’s avatar

    Ian,

    Thanks for the tip! I’ll be sure to use this tip in the future. Keep reading!

  3. PiGeon’s avatar

    Hi Scott, I can confirm that in elevated command prompt works the ktpass well.

    BR

    PiGeon

    PS: the other way how to run app elevated is pres the “START” type in cmd and press ctrl-shift-enter and confirm YES to run the app elevated.

  4. stine’s avatar

    run CMD elevated and use the following syntax:

    ktpass.exe -princ HOST/@ -mapuser \ -crypto all -pass -ptype KRB5_NT_PRINCIPAL -out filename.keytab

    and it works

  5. Jan Seidl’s avatar

    Which ktpass.exe version was used? XP Support Tools’, Vista’s Microsoft Remote Server Administration Tools’ or 2003 Support Tools’?

  6. slowe’s avatar

    2003 Support Tools were used, if I recall correctly.

  7. Oliver’s avatar

    Scott- Thanks for the tip… that has moved my RHEL5.5 box one step closer to joining the AD domain. After copying the keytab file over from my DC when I try a ->

    kinit [email protected]

    I receive an error of:

    kinit(v5): Cannot resolve network address for KDC in realm veracyte.com while getting initial credentials

    when I restart smb in /var/log/messages I see the following

    Jul 2 17:46:26 simi winbindd[7143]: [2010/07/02 17:46:26, 0] libads/kerberos.c:ads_kinit_password(228)
    Jul 2 17:46:26 simi winbindd[7143]: kerberos_kinit_password SIMI$@VERACYTE.LAN failed: Preauthentication failed

    any ideas what coul be happening here?

    Thanks in adv
    Oliver

  8. Tibor Kertesz’s avatar

    Helped me a lot! I totally forgot about that #@&”! UAC thingie. THX very much!!!

Comments are now closed.