W2k3 and Hotfix KB833708

Markus Moeller huaraz at moeller.plus.com
Fri Nov 12 19:21:21 EST 2004

The reason for the problem is that in 2003 (not sure if it is SP1) computer 
accounts and only computer accounts
take the following salt:

1) For a principal host/testserver.mycountry.mydomain.com at MYREALM.COM mapped 
to testserver-host (meaning computer account name with sAMaccountname = 
testserver-host$) the salt is:


2) For a principal HTTP/testserver.mycountry.mydomain.com at MYREALM.COM mapped 
to testserver-HTTP the salt is:

MYREALM.COMhosttestserver-http.myrealm.com   (lowercase of mapped account 
name is used !)

3) For a principal root/admin at MYREALM.COM mapped to root-admin the salt is:


Assuming the realm MYREAL.COM belongs to the windows domain myrealm.com.

w2k and user accounts in 2003 are unaffected.e.g.

A principal ftp/testserver.mycountry.mydomain.com at MYREALM.COM mapped to 
testserver-ftp has the salt:

MYREALM.COMftptestserver.mycountry.mydomian.com which is the output of 


"Luke Howard" <lukeh at padl.com> wrote in message 
news:200411120027.iAC0RVsp022721 at au.padl.com...
> Try doing a AS-REQ for the computer account using a salted enctype
> and a bogus password (eg. kinit -e des-cbc-md5) and look at the salt
> returned in the ETYPE-INFO-ENTRY inside the error message.
> Useful tools: Ethereal and dumpasn1.
> -- Luke
>>From: "Markus Moeller" <huaraz at moeller.plus.com>
>>Subject: Re: W2k3 and Hotfix KB833708
>>To: kerberos at MIT.EDU
>>Date: Sat, 6 Nov 2004 14:48:04 -0000
>>Organization: Customer of PlusNet plc (http://www.plus.net)
>>It seems to be related to how MS calculates salt for computer accounts in
>>2003, this is for example fixed in a newer Windows ktpass version. Does
>>anybody know how they determine the salt now ?
>>"Markus Moeller" <huaraz at moeller.plus.com> wrote in message
>>news:4187faaa$0$4012$ed2619ec at ptn-nntp-reader01.plus.net...
>>>I experience problems with Hotfix KB833708 on a w2k3 kdc and MIT 1.2.4 
>>>I know its old). The fix works fine when I use MIT 1.3.1 which supports
>>> When I extract a keytab which is associated with a computer account in 
>>> AD
>>> I get decrypt integrity check failed errors. It is the same error as
>>> described by Nathan earkier at
>>> http://mailman.mit.edu/pipermail/kerberos/2004-April/005080.html. I can
>>> get the decrypt error solved, when I change the user account contol flag
>>> means changing it from a computer account to a user account)
>>> Has anybody experienced this too ? Do I miss another Hotfix ?
>>> Thanks
>>> Markus
>>Kerberos mailing list           Kerberos at mit.edu
> --
> ________________________________________________
> Kerberos mailing list           Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos

More information about the Kerberos mailing list