[15955] in Kerberos_V5_Development
Re: krb5-1.8 fails to verify MS PAC Checksum when AES 256 is used
daemon@ATHENA.MIT.EDU (Luke Howard)
Thu Jul 1 17:36:01 2010
Mime-Version: 1.0 (Apple Message framework v1078)
From: Luke Howard <lukeh@padl.com>
In-Reply-To: <4C2CFA81.5090804@anl.gov>
Date: Thu, 1 Jul 2010 23:35:48 +0200
Message-Id: <E15BA609-803C-4FA8-8906-06A0049EEEA6@padl.com>
To: "Douglas E. Engert" <deengert@anl.gov>
Cc: krbdev@mit.edu
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: krbdev-bounces@mit.edu
> With msDS-SupportedEncryptionTypes = 16 (AES256) The first verify fails
> as expected, and the keytab is searched, and each key is tried. But
> the RC4 key (23) gets a KRB5KRB_AP_ERR_BAD_INTEGRITY as the compare
> of the computed and supplied checksums don't match.
Perhaps they're rc4-hmac with the AES key. (This really wouldn't surprise me. Ironically it might make the code path simpler.)
-- Luke
_______________________________________________
krbdev mailing list krbdev@mit.edu
https://mailman.mit.edu/mailman/listinfo/krbdev