[37994] in Kerberos

home help back first fref pref prev next nref lref last post

Re: wrong key is generated by krb5_c_string_to_key

daemon@ATHENA.MIT.EDU (=?UTF-8?Q?Mark_Pr=c3=b6hl?=)
Mon Jun 5 11:51:27 2017

To: kerberos@mit.edu
From: =?UTF-8?Q?Mark_Pr=c3=b6hl?= <mark@mproehl.net>
Message-ID: <afcde1c1-ca72-da8d-41c5-a5567068a01a@mproehl.net>
Date: Mon, 5 Jun 2017 17:51:03 +0200
MIME-Version: 1.0
In-Reply-To: <1496406548521-47082.post@n3.nabble.com>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu

On 06/02/2017 02:29 PM, Ashi1986 wrote:
> Hi All ,
>
> This is my setup .
>
> windows 8.1 64 bit
> windows 2012 R2 server AD and KDC .
> BS2000 with MIT kerberos 1.13.2
>
> I generate keytab for  SPN using this command  :
>
> ktpass -princ host/<Host name>@domain name -mapuser <domain name\domain user
> pass> pass <password> -crypto RC4-HMAC-NT -ptype KRB5_NT_PRINCIPAL -out
> C:\KeyTab\HMAC7U6.keytab
>
> I am trying to decrypt AP_REQ using this keytab.
> I looked at kvno, encryption type and everything else matches.
>
> while configuring the DES-CBC-CRC and DES-CBC-MD5 it works fine and Kerberos
> connection established.
>
> while decrypting the packet in krb5_c_decrypt -> krb5_k_decrypt ->
> krb5int_arcfour_decrypt
> returning KRB5KRB_AP_ERR_BAD_INTEGRITY?
>
> In case of encryption type RC4-HMAC, AES128-SHA1 and AES256-SHA1, It is
> noticed that keys generated from the password by using the function
> [lib/crypto/krb/string_to_key.c\*krb5_c_string_to_key*] is different from
> the key generated with the same password with KTPASS command.
>
> In case of DES-CBC-CRC and DES-CBC-MD5, generated keys are exactly matched
> with the keys generated by KTPASS command.
>
> Therefore kerberos connection becomes successful with the encryption type
> DES-CBC-CRC and DES-CBC-MD5 and connection gets failed with error code
> KRB5KRB_AP_ERR_BAD_INTEGRITY with the encryption type RC4-HMAC, AES128-SHA1
> and AES256-SHA1.
>
> Please suggest how to fix this problem.
>
> Any help would be appreciated !!!
>
> Thanks & Regards
>
>

If I do understand you correct, the keytab with the invalid RC4 and AES 
keys is generated with ktpass.exe. If so, how should that be related to 
the krb5_c_string_to_key function from MIT Kerberos?

And did you try to use msktutil instead of ktpass.exe?

- Mark
________________________________________________
Kerberos mailing list           Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
home help back first fref pref prev next nref lref last post