MIT vs. Heimdal/Sun: "Decrypt integrity check failed"

Karsten Petersen kapet at
Thu Jun 3 05:08:19 EDT 2004


we have a KDC (Heimdal 0.6.2) running for a test.  kinit works, it
successfully provides users with krb4 and krb5 TGTs.

But now I am trying to write a simple GSS based program and get an
error which I can not clearly classify:

0. A service principal was created on the KDC.  A krb5 keytab on the
   GSS test machine was created by calling Heimdal's kadmin with
   "ext_keytab *hostname*".  The keytab contains 10 different
   encryptions of the service key.  The user calling the GSS client-app
   always has a clean ticket cache with only the krb5 TGT in it.
1. GSS client- and server-app on the GSS test machine both use MIT
   Kerberos5 1.3.1.  This works like a charm.  I will use this GSS
   server-app for all further tests.
2. The GSS client-app on another machine, also using MIT Kerberos5
   1.3.1, works too.
3. The GSS client-app using Heimdal 0.6.2 on just another Linux machine
   does not work.
4. The GSS client-app on SunOS 5.8 (using Sun's GSS-implementation) does
   not work either.

The GSS server-app shows the same error message for 3. and 4.:
  gss_accept_sec_context: Miscellaneous failure
  gss_accept_sec_context: Decrypt integrity check failed

(The GSS client-app then gets an error message from the server and quits

I traced the GSS server-app (during 3.) and found it calculating a MD5
sum (it was using des-cbc-md5) which came out different than the one
from the client.

So where is the problem?

Thanks in advance,
Karsten Petersen
Dipl. Inf. Karsten Petersen,  Universitaetsrechenzentrum,  TU Chemnitz
         E-Mail:  kapet at
        Telefon:  (0371) - 531 - 1725
   Arbeitsplatz:  Strasse der Nationen 62  //  Raum 1/B301.A

More information about the Kerberos mailing list