Shop

Your Notifications (0)

There are currently no notifications. You're all set!

Demos Trials
Knowledge Base
ChemDraw and ChemOffice+ Products Signals Notebook E-Notebook and ChemBioOffice Enterprise Spotfire and Signals Spotfire Products Columbus Signals Image Artist
Downloads
Downloads
Community
Support Forums Ideas Portal Product Basics
About Support
Legal Resources Support and Maintenance Plans Product Life Cycle Support News
Contact Support

Unable to log on to a Windows Server domain after resetting the user account password by using the Ktpass.exe tool together with the -pass * parameter.

Rich Talbot
  • Updated
Date Posted:
Product: TIBCO Spotfire®

Problem:

Unable to log on to a Windows Server domain after resetting the user account password by using the Ktpass.exe tool together with the -pass * parameter.


Solution:

Description:
When setting up Kerberos in your Spotfire environment, you can use the ktpass.exe tool to create a keytab file. When using the Ktpass.exe tool together with the /pass * parameter, you are setting a new password. This will result in subsequent login failures when trying to login to a Windows domain using the user account specified when running the ktpass.exe tool.

 

Symptoms:
Unable to login to any computers in your domain using the user account specified when you ran the ktpass.exe tool.

Cause:
When you use the /pass * parameter in the Ktpass.exe tool, the Ktpass.exe tool appends the following extra characters to the password: \0a
 
The tool then sends the password to the Active Directory directory service. Active Directory stores an incorrect password for this user account. Because the password is incorrect, the user cannot log on to a Windows Server domain. The problem is in the * character. If you use /pass PASSWORD so that you specify a password, then no extra characters will be appended and the password will be set correctly in the Active directory.

You can use the KTPASS command with /pass PASSWORD instead and just replace PASSWORD with the password of your choosing.

Example:

ktpass /princ HTTP/<fully qualified hostname>[:<port>]@<realm> /ptype krb5_nt_principal /crypto rc4-hmac-nt /mapuser <service account name> /out spotfire.keytab -kvno 0 /pass PASSWORD
 

Hotfix available for Windows Server 2003 only.
http://support.microsoft.com/hotfix/KBHotfix.aspx?kbnum=939980&kbln=en-us

http://support.microsoft.com/default.aspx?scid=kb;EN-US;939980
http://social.technet.microsoft.com/Forums/windowsserver/en-US/dbf2028b-139a-484d-9067-39dd694f2a4b/can-not-logon-account-after-using-ktpass-to-map-a-spn-to-it?forum=winserverDS

Related articles