cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
20729
Views
10
Helpful
12
Replies

KTPASS error

estelamathew
Level 2
Level 2

Hello

When i run Ktpass command in windows command prompt i get a below error.

C:\Program Files\Support Tools>ktpass.exe -princ casuser/ruspdc.rus.hom.gov.uk@
RUS.HOM.GOV.UK -mapuser casuser -pass cisco123 -out c:\casuser.keytab -ptype KR
B5_NT_PRINCIPAL +DesOnly

DsCrackNames returned 0x2 in the name entry for casuser.
ktpass:failed getting target domain for specified user.

There are two file in support tools folder Ktsetup.exe and ktpass,the version for ktsetup.exe is 5.2.3790.0 and the version for ktpass is 5.2.3790.3959

Can anybody help me for the below error.

12 Replies 12

Faisal Sehbai
Level 7
Level 7

Estela,

Assuming that your NETBIOS domain name is RUSHOM, change the line to following:

C:\Program Files\Support Tools>ktpass.exe -princ casuser/ruspdc.rus.hom.gov.uk@
RUS.HOM.GOV.UK -mapuser RUSHOM\casuser -pass cisco123 -out c:\casuser.keytab -ptype KR
B5_NT_PRINCIPAL +DesOnly

HTH,

Faisal

--

If you find this post helpful, please rate so others can find the answer easily

Hello Faisal,

I m getting the same error.where i m missing???

Thanks

Estela,

What AD are you on? 2k3 or 2k8?

You can try to modify it further like this:

C:\Program Files\Support Tools>ktpass.exe -princ casuser/ruspdc.rus.hom.gov.uk@
RUS.HOM.GOV.UK -mapuser casuser@rus.hom.gov.uk -pass cisco123 -out c:\casuser.keytab -ptype KR
B5_NT_PRINCIPAL +DesOnly

HTH,

Faisal

--

If you find this post helpful, please rate so others can find the answer easily

Hello Faisal,

C:\Program Files\Support Tools>ktpass.exe -princ casuser/ruspdc.rus.hom.gov.uk@
RUS.HOM.GOV.OM -mapuser casuser@rus.hom.gov.uk -pass cisco123 -out c:\casuser.
keytab -ptype KRB5_NT_PRINCIPAL +DesOnly
Targeting domain controller: ruspdc.rus.hom.gov.uk
Successfully mapped casuser/ruspdc.rus.hom.gov.uk to casuser.
Password succesfully set!
Key created.
Output keytab to c:\casuser.keytab:
Keytab version: 0x502
keysize 81 casuser/ruspdc.rus.hom.gov.uk@RUS.HOM.GOV.UK ptype 1 (KRB5_NT_PRINC
IPAL) vno 3 etype 0x17 (RC4-HMAC) keylength 16 (0xa6bff48bf06f43ae7fb903ce7b00ee
a2)
Account casuser has been set for DES-only encryption

IT IS WIN 2K3

The user is mapped sucessfully u can see the above output but i m getting below error when i enable check box in  Enable Agent-Based Windows Single Sign-On with Active Directory

Error : Could not start the SSO service. Please check the configuration.

Troubleshooting What i did:

  1. CAS CAM are both pingable from AD.
  2. Time difference is only 1 sec between the CAM&CAS and AD
  3. Casuser Password in AD are very much correct.
  4. Ktpass run before is success as shown by above output.

In support logs I see the below error:

com.perfigo.wlan.jmx.adsso.GSSServer

I think i should use NetBios SSO instead if Active Directory SSO according to ur previous mail's netbios hints.Pls correct me if i m wrong

Enable Transparent Windows Single Sign-On with NetBIOS/SMB <------  I should enable check box here.

Thanks.

Hi Estela,

Please be aware that version 5.2.3790.3959 will not work with Win2k3 and CCA AD SSO.

The correct version is 5.2.3790.0, and i am attaching it in this post (Extract it and please rename it as "ktpass.exe").

Replace the ktpass file and run the command as shown below:

HTH,

Tiago

--

If  this helps you and/or answers your question please mark the question as  "answered" and/or rate it, so other users can easily find it.

Hello Tiago,

I have done according to ur Ktpass.exe it is giving below error


C:\Program Files\Support Tools>ktpass.exe -princ casuser/ruspdc.rus.hom.gov.uk@
RUS.HOM.GOV.UK -mapuser casuser -pass cisco123 -out c:\casuser.keytab -ptype KR
B5_NT_PRINCIPAL +DesOnly


DsCrackNames returned 0x2 in the name entry for casuser.

Hello Faisal,

After changing the Ktpass.exe according to tiagos when i run the command ktpass.exe according to your advice in previous mail. i found the below error.

C:\Program Files\Support Tools>ktpass.exe -princ casuser/ruspdc.rus.hom.gov.uk@
RUS.HOM.GOV.UK -mapuser casuser@rus.hom.gov.uk -pass cisco123 -out c:\casuser.
keytab -ptype KRB5_NT_PRINCIPAL +DesOnly

Targeting domain controller: ruspdc.rus.hom.gov.uk
Failed to set property "servicePrincipalName" to "casuser/ruspdc.rus.hom.gov.uk
" on Dn "CN=CAS NAC,CN=Users,DC=rus,DC=hom,DC=gov,DC=uk": 0x14.
WARNING: Unable to set SPN mapping data.
  If casuser already has an SPN mapping installed for  casuser/ruspdc.rus.hom.g
ov.uk, this is no cause for concern.

Before the ktpass was sucessful but  after changing it is not what are your'll comments experts.??? please help.

Thanks

Hi Estela,

I would advise to delete the casuser and create a new one with diferent name and follow the steps:

1. Open Active Directory Management console
2. Create a user for CAS (eg: User: cas1sso, Password: cisco123)
3. Make sure FirstName = LastName = FullName = Username for the account
4. Check "Password never expires"
5. Uncheck "User must change password at next logon"
6. Execute the following command
ktpass.exe -princ cas1sso/dcse.se.cca.cisco.com@SE.CCA.CISCO.COM  -mapuser
ssose -pass Cisco123 -out c:\ssose.keytab -ptype KRB5_NT_PRINCIPAL +DesOnly

C:\Program Files\Support Tools>ktpass.exe -princ cas1sso/ruspdc.rus.hom.gov.uk@RUS.HOM.GOV.UK -mapuser cas1sso -pass cisco123 -out c:\cas1sso.keytab -ptype KRB5_NT_PRINCIPAL +DesOnly


HTH,

Tiago

--

If  this helps you and/or answers your question please mark the question as  "answered" and/or rate it, so other users can easily find it.

Hello Tiagos,

Still the same error.

DsCrackNames returned 0x2 in the  name entry for nac

I have given full rights for this user as an enterprise admin.

Thanks

Hum... this starts to be strange...

Are you sure the OS is Windows Server 2003?

Any SP?

You may want to consider opening a TAC case for deeper troubleshooting...

HTH,

Tiago

--

If  this helps you and/or answers your question please mark the question as  "answered" and/or rate it, so other users can easily find it.

Hello Tiago,

WIN 2003 R2 Enterprise Edition SP2.

Thanks

Hi Estela,

Ok then, I confirm that the version of ktpass i provided to you is the correct one "5.2.3790.0".

If still giving the error, then i believe it is time to open a case with TAC.

Thanks,

Tiago

--

If  this helps you and/or answers your question please mark the question as  "answered" and/or rate it, so other users can easily find it.

Anyone get this working?

Is Cisco NAC not supported on Windows 2008?

We get the similar error as above!

Targeting domain controller: domain.controller

Failed to set property "servicePrincipalName" to "nacsso/domain.controller.domain.com
" on Dn "CN=nacsso,CN=Users,DC=Domain.Controller,DC=domain,DC=com: 0x32.
WARNING: Unable to set SPN mapping data.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: