Does pre-authentication help against "insider" attacks?

Henry B (Hank) Hotz, CISSP hbhotz at
Fri May 26 19:38:44 CEST 2017

> On May 26, 2017, at 11:44 AM, Viktor Dukhovni <heimdal at> wrote:
> And in particular, "service accounts" (service principals) generally have
> random keys generated by cryptographically strong PRNG.  They are typically
> (on Unix systems) not and should not be "password based".
> Now it is true that in Active Directory various services (SPNs)
> require domain a password for their domain account (there are
> no "keytab" files on Windows).  It is up to the domain administrator
> to configure strong random passwords for such accounts.
> -- 
> 	Viktor.

In Heimdal that’s kadmin add —random-key . . .  Don’t use kadmin add —random-password unless the (small) number of characters is OK for your application.

In MIT it’s kadmin addprinc -randkey.

Now for my question: In Windows it looks like you should be able to do something similar with “ktpass /pass +rndpass . . .”, but I’ve never been able to get that command accepted. Under what conditions does that option work?

Personal email.  hbhotz at

More information about the Heimdal-discuss mailing list