cross realm : decrypt integrity check failed
Ken Hornstein
kenh at cmf.nrl.navy.mil
Wed Nov 8 16:00:32 EST 2006
>Which is interesting as the same key (well, the same enc/salt type "created"
>with the same password) was present -- only key on the realmA kdc and the 3rd
>of three listed via a getprinc on the realmB kdc.
When you're dealing with KEYS, remember that the salt type is NOT
communicated when you're doing TGS_REQs (it's only negotiated as part
of an AS_REQ ... when kinit happens). If you had, for example, three
single-DES salt types, they're considered the same as far as the KDC is
concerned for service principals (even though they are NOT the same
key). Realm B's KDC would simply pick the first ENCTYPE that matched
the enctype in the ticket from realm A. If they have a dissimilar
salt, then they keys won't match.
--Ken
More information about the Kerberos
mailing list