If the password is updated on a user object in Active Directory (AD) but the corresponding keytab file has not been updated then authentications may fail. The Key Version Number (Kvno/Vno) of the user object and the keytab will be different.
For the purposes of this article
1. To view the contents of the keytab file
# /opt/quest/bin/vastool ktutil -k /etc/opt/quest/vas/SAP.keytab list
Vno Type Principal Aliases
2 aes128-cts-hmac-sha1-96 client-SAP@EXAMPLE.COM
2 aes128-cts-hmac-sha1-96 SAP/client@example.com@EXAMPLE.COM
2 aes256-cts-hmac-sha1-96 client-SAP@EXAMPLE.COM
2 aes256-cts-hmac-sha1-96 SAP/client@example.com@EXAMPLE.COM
2 arcfour-hmac-md5 client-SAP@EXAMPLE.COM
2 arcfour-hmac-md5 SAP/client@example.com@EXAMPLE.COM
2. To view the Kvno of the user object in AD
# /opt/quest/bin/vastool -u administrator attrs client-SAP msDS-KeyVersionNumber
Password for administrator@EXAMPLE.COM:
msDS-KeyVersionNumber: 4
3. To change the password on the user object in AD and update the keytab file
Note: You will be prompted to enter a new password for the AD user object
# /opt/quest/bin/vastool -u administrator passwd -k /etc/opt/quest/vas/SAP.keytab client-SAP
Password for administrator@EXAMPLE.COM:
administrator@EXAMPLE.COM setting password for client-SAP@EXAMPLE.COM...
New password for client-SAP@EXAMPLE.COM:
Verify password - New password for client-SAP@EXAMPLE.COM:
Saving new key in keytab file: /etc/opt/quest/vas/SAP.keytab
Password for client-SAP@EXAMPLE.COM was successfully set
4. To manually update the keytab file with the latest Kvno and password without changing the password on the user object in AD
Note: You will be prompted to enter the current password for the AD user object
# In this example we use -V 3 to increment current Vno from 2 to 3
# /opt/quest/bin/ktutil -k /etc/opt/quest/vas/SAP.keytab add -V 3 -e arcfour-hmac-md5 -p client-SAP@EXAMPLE.COM
Password:
Verify password – Password:
Repeat this step for each encryption type (-e) and principal (-p)
© 2024 One Identity LLC. ALL RIGHTS RESERVED. Conditions d’utilisation Confidentialité Cookie Preference Center