preauth (timestamp) verify failure: Decrypt integrity check failed -- SOLVED

Jaap Winius jwinius at umrk.nl
Fri Jun 25 09:39:40 EDT 2010 

Hi folks,

Jun 25 13:26:05 vipera krb5kdc[2171](info): AS_REQ (7 etypes {18 17 16 23 
1 3 2}) 192.168.2.48: NEEDED_PREAUTH: bbeamon at UMRK.NL for krbtgt/
UMRK.NL at UMRK.NL, Additional pre-authentication required
Jun 25 13:26:05 vipera krb5kdc[2171](info): preauth (timestamp) verify 
failure: Decrypt integrity check failed
Jun 25 13:26:05 vipera krb5kdc[2171](info): AS_REQ (7 etypes {18 17 16 23 
1 3 2}) 192.168.2.48: PREAUTH_FAILED: bbeamon at UMRK.NL for krbtgt/
UMRK.NL at UMRK.NL, Decrypt integrity check failed

This is basically the same error that I posted a question about here in 
October 2009. Back then, the problem disappeared after a reinstall of the 
client and/or server software, but an actual solution was never found. 
Not having understood it, naturally the problem eventually resurfaced, so 
I figured it would be better to sort it out once and for all.

The "preauth (timestamp) verify failure" error is misleading, because it 
seems to suggest that there is a time synchronization error, which does 
not have to be the case. I believe it says "(timestamp)" simply to remind 
us that time synchronization is essential for pre-authentication.

Regarding "Decrypt integrity check failed," it is sometimes stated that 
this error is just Kerberos' way of saying that the password is 
incorrect. This is true, but it can just as easily be because the server 
cannot decrypt and then read a correct password.

In my case, the client-server time synchronization was correct and so was 
the password. So, what's next? Luckily, I didn't have to spend too much 
time searching for an answer. First, I found this:

   4.2. "Decrypt integrity check failed"
   http://www.faqs.org/faqs/kerberos-faq/general/section-73.html

Here, it says that the error is caused because "the encryption key used 
to encrypt the data in this message didn't match the encryption key used 
for decryption, and as a result the checksum comparison didn't work." It 
also says the solution "is to delete the keytabs on each machine, and 
only add the host principal's key to their corresponding machine."

That was it. All I had to do was delete /etc/krb5.keytab on both the 
client *and* the server, create a new one on the server (using kadmin 
with the ktadd command) and then another new one on the client (using the 
same command).

In conclusion, if you believe your time and passwords are correct, but 
still receive the above errors, then it could be due to an encryption 
problem. Since Kerberos stores its encryption keys in those key table 
files on both the servers and the clients, the solution may be to  
replace them with fresh ones, starting with the KDC master server.

Cheers,

Jaap

More information about the Kerberos mailing list