W2k3 and Hotfix KB833708

Luke Howard lukeh at padl.com
Thu Nov 11 19:27:31 EST 2004


Try doing a AS-REQ for the computer account using a salted enctype
and a bogus password (eg. kinit -e des-cbc-md5) and look at the salt
returned in the ETYPE-INFO-ENTRY inside the error message.

Useful tools: Ethereal and dumpasn1.

-- Luke

>From: "Markus Moeller" <huaraz at moeller.plus.com>
>Subject: Re: W2k3 and Hotfix KB833708
>To: kerberos at MIT.EDU
>Date: Sat, 6 Nov 2004 14:48:04 -0000
>Organization: Customer of PlusNet plc (http://www.plus.net)
>
>It seems to be related to how MS calculates salt for computer accounts in 
>2003, this is for example fixed in a newer Windows ktpass version. Does 
>anybody know how they determine the salt now ?
>
>Thanks
>Markus
>
>
>"Markus Moeller" <huaraz at moeller.plus.com> wrote in message 
>news:4187faaa$0$4012$ed2619ec at ptn-nntp-reader01.plus.net...
>>I experience problems with Hotfix KB833708 on a w2k3 kdc and MIT 1.2.4 (yes 
>>I know its old). The fix works fine when I use MIT 1.3.1 which supports 
>>RC4.
>>
>> When I extract a keytab which is associated with a computer account in AD 
>> I get decrypt integrity check failed errors. It is the same error as 
>> described by Nathan earkier at 
>> http://mailman.mit.edu/pipermail/kerberos/2004-April/005080.html. I can 
>> get the decrypt error solved, when I change the user account contol flag 
>> from UF_TRUSTED_WORKSTATION_ACCOUNT to UF_NORMAL_ACCOUNT ( I think it 
>> means changing it from a computer account to a user account)
>>
>> Has anybody experienced this too ? Do I miss another Hotfix ?
>>
>> Thanks
>> Markus
>> 
>
>
>________________________________________________
>Kerberos mailing list           Kerberos at mit.edu
>https://mailman.mit.edu/mailman/listinfo/kerberos

--


More information about the Kerberos mailing list