On 06/02/2017 02:29 PM, Ashi1986 wrote: > Hi All , > > This is my setup . > > windows 8.1 64 bit > windows 2012 R2 server AD and KDC . > BS2000 with MIT kerberos 1.13.2 > > I generate keytab for SPN using this command : > > ktpass -princ host/<Host name>@domain name -mapuser <domain name\domain user > pass> pass <password> -crypto RC4-HMAC-NT -ptype KRB5_NT_PRINCIPAL -out > C:\KeyTab\HMAC7U6.keytab > > I am trying to decrypt AP_REQ using this keytab. > I looked at kvno, encryption type and everything else matches. > > while configuring the DES-CBC-CRC and DES-CBC-MD5 it works fine and Kerberos > connection established. > > while decrypting the packet in krb5_c_decrypt -> krb5_k_decrypt -> > krb5int_arcfour_decrypt > returning KRB5KRB_AP_ERR_BAD_INTEGRITY? > > In case of encryption type RC4-HMAC, AES128-SHA1 and AES256-SHA1, It is > noticed that keys generated from the password by using the function > [lib/crypto/krb/string_to_key.c\*krb5_c_string_to_key*] is different from > the key generated with the same password with KTPASS command. > > In case of DES-CBC-CRC and DES-CBC-MD5, generated keys are exactly matched > with the keys generated by KTPASS command. > > Therefore kerberos connection becomes successful with the encryption type > DES-CBC-CRC and DES-CBC-MD5 and connection gets failed with error code > KRB5KRB_AP_ERR_BAD_INTEGRITY with the encryption type RC4-HMAC, AES128-SHA1 > and AES256-SHA1. > > Please suggest how to fix this problem. > > Any help would be appreciated !!! > > Thanks & Regards > >
If I do understand you correct, the keytab with the invalid RC4 and AES keys is generated with ktpass.exe. If so, how should that be related to the krb5_c_string_to_key function from MIT Kerberos? And did you try to use msktutil instead of ktpass.exe? - Mark ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
