Multiple ETYPE-INFO-ENTRY with same etype but different salts

Fri Jul 15 03:21:51 EDT 2011

Hi All

I have a customer whose KDC sends out the following packet as the 
response of initial login:

Kerberos KRB-ERROR
     ....
     error_code: KRB5KDC_ERR_PREAUTH_REQUIRED (25)
     e-data
         padata:
             Type: PA-ENCTYPE-INFO (11)
                 Value:
                     Encryption type: des-cbc-crc (1)
                     Encryption type: des-cbc-crc (1)
                     Salt: <MISSING>
                     Encryption type: des-cbc-crc (1)
                     Salt: "XXX.EDU"
             ...

The PA-ENCTYPE-INFO's detailed ASN.1 structure is:

   SEQUENCE
       SEQUENCE
           [0] INTEGER 1
       SEQUENCE
           [0] INTEGER 1
           [1] OCTET STRING  ""
       SEQUENCE
           [0] INTEGER 1
           [1] OCTET STRING  "XXX.EDU"

As you can see, it includes multiple entries for the des-cbc-crc etype 
and they have different salt values. Also, the last value "XXX.EDU" is 
wrong. If I use it as the salt to generate a secret key and send a 
timestamp, the KDC rejects me. Only if the default salt "XXX.EDUuser" is 
used, I get the AS-REP.

I lookup RFC 4120 and there is no spec on what to do when there are 
multiple ETYPE-INFO-ENTRYs with the same etype but different salts. What 
shall I do now? Or, is there a way to reconfigure their KDC and avoid 
such a response?

Thanks
Max