[20556] in Kerberos_V5_Development
PKINIT: KDC_ERR_PA_CHECKSUM_MUST_BE_INCLUDED with Windows Server 2025
daemon@ATHENA.MIT.EDU (Ayush)
Fri Mar 20 10:29:39 2026
MIME-Version: 1.0
From: Ayush <ayushpratap16@gmail.com>
Date: Fri, 20 Mar 2026 12:43:24 +0530
Message-ID: <CACcYG_wp5P-aVBQ05M-qOGLVYORSOtpZrxTTCkOyjdwSjroWPQ@mail.gmail.com>
To: krbdev@mit.edu
Content-Type: text/plain; charset="utf-8"
Errors-To: krbdev-bounces@mit.edu
Content-Transfer-Encoding: 8bit
Hi all,
I'm running into an issue with PKINIT authentication against a Windows
Server 2025 domain controller using MIT KRB5.
With KRB5_TRACE enabled I can see the client is doing PKINIT correctly —
loading the cert, building the DH request, and getting "Preauth module
pkinit (16) returned: 0/Success". But then the KDC rejects with
KDC_ERR_PA_CHECKSUM_MUST_BE_INCLUDED (-1765328305).
Interestingly, PKINITtools/gettgtpkinit.py (which uses minikerberos) works
perfectly against the exact same DC with the same cert. So minikerberos is
sending the required checksum but MIT KRB5 isn't.
Looking at the code, I believe the checksum in question is the
pkAuthenticator checksum in the PA-PK-AS-REQ. Is there a krb5.conf option
to enable this, or is this a known incompatibility between MIT KRB5 and
Windows Server 2025's stricter PKINIT requirements?
Any pointers would be really appreciated!
_______________________________________________
krbdev mailing list krbdev@mit.edu
https://mailman.mit.edu/mailman/listinfo/krbdev
