[20557] in Kerberos_V5_Development
Re: PKINIT: KDC_ERR_PA_CHECKSUM_MUST_BE_INCLUDED with Windows Server
daemon@ATHENA.MIT.EDU (Greg Hudson)
Fri Mar 20 11:29:24 2026
Message-ID: <b48280fb-3486-44d6-8770-6fc346267b67@mit.edu>
Date: Fri, 20 Mar 2026 11:29:12 -0400
MIME-Version: 1.0
To: Ayush <ayushpratap16@gmail.com>, krbdev@mit.edu
Content-Language: en-US
From: "Greg Hudson" <ghudson@mit.edu>
In-Reply-To: <CACcYG_wp5P-aVBQ05M-qOGLVYORSOtpZrxTTCkOyjdwSjroWPQ@mail.gmail.com>
Content-Type: text/plain; charset="utf-8"; Format="flowed"
Errors-To: krbdev-bounces@mit.edu
Content-Transfer-Encoding: 8bit
On 3/20/26 03:13, Ayush wrote:
> With KRB5_TRACE enabled I can see the client is doing PKINIT correctly —
> loading the cert, building the DH request, and getting "Preauth module
> pkinit (16) returned: 0/Success". But then the KDC rejects with
> KDC_ERR_PA_CHECKSUM_MUST_BE_INCLUDED (-1765328305).
I would guess that it wants the new paChecksum2, which we added support
for in version 1.22. However, I don't see support for paChecksum2 in
minikerberos, so perhaps I am wrong.
If I were debugging this, my next step would be to use wireshark (or
similar) to investigate the differences between the MIT krb5
PA-PK-AS-REQ and the minikerberos one.
_______________________________________________
krbdev mailing list krbdev@mit.edu
https://mailman.mit.edu/mailman/listinfo/krbdev
