[37908] in Kerberos
RE: Kerberos failed with krb5krb_AP_ERR_ BAD_INTEGRITY
daemon@ATHENA.MIT.EDU (Osipov, Michael)
Tue Mar 21 04:38:22 2017
From: "Osipov, Michael" <michael.osipov@siemens.com>
To: Ashish <vermaashish_mca@hotmail.com>,
"Kerberos@mit.edu" <Kerberos@mit.edu>
Date: Tue, 21 Mar 2017 08:38:03 +0000
Message-ID: <68644224DA0DE64CA5A49838ED219A0425C101B3@DEFTHW99EJ5MSX.ww902.siemens.net>
In-Reply-To: <PN1PR01MB0157A6BE525A62E6745753209A3D0@PN1PR01MB0157.INDPRD01.PROD.OUTLOOK.COM>
Content-Language: de-DE
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
> Hi All ,
>
> This is my setup .
>
> windows 8.1 64 bit
> windows 2012 R2 server AD and KDC .
> BS2000 with MIT kerberos 1.13.2
>
> I generate keytab for SPN using this command :
>
> ktpass -princ host/<Host name>@domain name -mapuser <domain name\domain
> user pass> pass <password> -crypto RC4-HMAC-NT -ptype KRB5_NT_PRINCIPAL -
> out C:\KeyTab\HMAC7U6.keytab
>
> I am trying to decrypt AP_REQ using this keytab.
> I looked at kvno, encryption type and everything else matches.
>
> while configuring the DES-CBC-CRC and DES-CBC-MD5 it works fine and
> Kerberos connection established.
>
> Why would this fail while decrypting the packet in krb5_c_decrypt ->
> krb5_k_decrypt -> krb5int_arcfour_decrypt
> returning KRB5KRB_AP_ERR_BAD_INTEGRITY?
> I have tried debugging it abut I don't find a reason why it is failing.
Consider using msktutil(1), it does a very good job with the Active Directory.
Michael
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
