W2k3 and Hotfix KB833708
Luke Howard
lukeh at padl.com
Thu Nov 11 19:27:31 EST 2004
Try doing a AS-REQ for the computer account using a salted enctype
and a bogus password (eg. kinit -e des-cbc-md5) and look at the salt
returned in the ETYPE-INFO-ENTRY inside the error message.
Useful tools: Ethereal and dumpasn1.
-- Luke
>From: "Markus Moeller" <huaraz at moeller.plus.com>
>Subject: Re: W2k3 and Hotfix KB833708
>To: kerberos at MIT.EDU
>Date: Sat, 6 Nov 2004 14:48:04 -0000
>Organization: Customer of PlusNet plc (http://www.plus.net)
>
>It seems to be related to how MS calculates salt for computer accounts in
>2003, this is for example fixed in a newer Windows ktpass version. Does
>anybody know how they determine the salt now ?
>
>Thanks
>Markus
>
>
>"Markus Moeller" <huaraz at moeller.plus.com> wrote in message
>news:4187faaa$0$4012$ed2619ec at ptn-nntp-reader01.plus.net...
>>I experience problems with Hotfix KB833708 on a w2k3 kdc and MIT 1.2.4 (yes
>>I know its old). The fix works fine when I use MIT 1.3.1 which supports
>>RC4.
>>
>> When I extract a keytab which is associated with a computer account in AD
>> I get decrypt integrity check failed errors. It is the same error as
>> described by Nathan earkier at
>> http://mailman.mit.edu/pipermail/kerberos/2004-April/005080.html. I can
>> get the decrypt error solved, when I change the user account contol flag
>> from UF_TRUSTED_WORKSTATION_ACCOUNT to UF_NORMAL_ACCOUNT ( I think it
>> means changing it from a computer account to a user account)
>>
>> Has anybody experienced this too ? Do I miss another Hotfix ?
>>
>> Thanks
>> Markus
>>
>
>
>________________________________________________
>Kerberos mailing list Kerberos at mit.edu
>https://mailman.mit.edu/mailman/listinfo/kerberos
--
More information about the Kerberos
mailing list