NAC and KTPass.exe

Unanswered Question
May 20th, 2010

As part of our NAC implementation we are doing SSO by authenticating against AD. That means that we need to run KTpass.exe on one domain controller in the AD domain.

The expectation that we have based upon documentation is that the userid and associated information will propagate the other domain controllers and that we will be able to authenticate no matter which server we communicate with.

The MS team has some concerns and in addition to having them talk to MS I thought I would pose the questions here.

Can the KTpass command be undone?

Can replication be confirmed without shutting down the original DC?

Are there any known issues that we should know about before hand?


I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Faisal Sehbai Thu, 05/20/2010 - 13:55


KTpass only affects on user, and nothing in your schema that would need to be undone. If you want it undone, remove that user, and the changes done to that user account will go away. If removing user isn't an option, you can always disable that account.

To confirm replication, verify user properties. Depending on what version of AD and ktpass you run, there are certain things like pre-auth for kerberos, and/or Des only encryption which would be enabled for the user. You can check and see that across your DCs to see if they're replicated

Known issues: Make sure you read the documentation thoroughly. It's almost like a magic trick to make it work with the first attempt!




This Discussion