kpasswd: Failed decrypting request

Jeffrey Altman jaltman2 at
Fri Aug 18 02:35:08 EDT 2006

petesea at wrote:
> Using krb5-1.4.3 on a Redhat system and I get the following error from 
> kpasswd:
>    Failed decrypting request
> The admin server is accessed via VPN/NAT and from the sparse info I could 
> find, I suspect that's the issue.  DNS does show that my VPN IP matches 
> the hostname.
> Questions...
> Is that the cause of the error?
> Are there plans to fix this?
> If there are no plans to fix it (or it can't be fixed)... is there any 
> possibility the error message could be a bit more descriptive?
> I'm trying to deploy kerberos to a large number of users, many will be 
> accessing our systems via the VPN and I'm sure this will be an issue.

You cannot use the MIT kpasswd through a NAT.  The IP address of the
client as seen by the server must match the one the client sees.

When the IETF completes the new set/change password protocol I'm sure
that MIT will consider implementing it.

Jeffrey Altman

More information about the Kerberos mailing list