[37990] in Kerberos
wrong key is generated by krb5_c_string_to_key
daemon@ATHENA.MIT.EDU (Ashi1986)
Fri Jun 2 08:29:26 2017
Date: Fri, 2 Jun 2017 05:29:08 -0700 (MST)
From: Ashi1986 <vermaashish_mca@hotmail.com>
To: kerberos@mit.edu
Message-ID: <1496406548521-47082.post@n3.nabble.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
Hi All ,
This is my setup .
windows 8.1 64 bit
windows 2012 R2 server AD and KDC .
BS2000 with MIT kerberos 1.13.2
I generate keytab for SPN using this command :
ktpass -princ host/<Host name>@domain name -mapuser <domain name\domain user
pass> pass <password> -crypto RC4-HMAC-NT -ptype KRB5_NT_PRINCIPAL -out
C:\KeyTab\HMAC7U6.keytab
I am trying to decrypt AP_REQ using this keytab.
I looked at kvno, encryption type and everything else matches.
while configuring the DES-CBC-CRC and DES-CBC-MD5 it works fine and Kerberos
connection established.
while decrypting the packet in krb5_c_decrypt -> krb5_k_decrypt ->
krb5int_arcfour_decrypt
returning KRB5KRB_AP_ERR_BAD_INTEGRITY?
In case of encryption type RC4-HMAC, AES128-SHA1 and AES256-SHA1, It is
noticed that keys generated from the password by using the function
[lib/crypto/krb/string_to_key.c\*krb5_c_string_to_key*] is different from
the key generated with the same password with KTPASS command.
In case of DES-CBC-CRC and DES-CBC-MD5, generated keys are exactly matched
with the keys generated by KTPASS command.
Therefore kerberos connection becomes successful with the encryption type
DES-CBC-CRC and DES-CBC-MD5 and connection gets failed with error code
KRB5KRB_AP_ERR_BAD_INTEGRITY with the encryption type RC4-HMAC, AES128-SHA1
and AES256-SHA1.
Please suggest how to fix this problem.
Any help would be appreciated !!!
Thanks & Regards
--
View this message in context: http://kerberos.996246.n3.nabble.com/wrong-key-is-generated-by-krb5-c-string-to-key-tp47082.html
Sent from the Kerberos - General mailing list archive at Nabble.com.
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
