Cannot authenticate with client keytab and AES128/256 against Active Directory
Osipov, Michael
michael.osipov at siemens.com
Wed Jul 29 07:43:19 EDT 2015
Hi,
I have created a client keytab with ktutil:
add_entry -password -p osipovmi at COMAPNY.NET -k 1 -e aes256-cts-hmac-sha1-96
add_entry -password -p osipovmi at COMAPNY.NET -k 1 -e aes128-cts-hmac-sha1-96
add_entry -password -p osipovmi at COMAPNY.NET -k 1 -e arcfour-hmac
then trying to obtain a TGT with 'kinit -k -i' but all I get is:
kinit: Invalid argument while getting initial credentials
Turning on KRB5_TRACE and Wireshark, I see that the server is rejecting
both AES ciphers from my client.
If I reduce the keytab down to arcfour-hmac, all works fine.
I am on FreeBSD 9.x, MIT Kerberos 1.13.2 from ports system and multiple
Windows Server 2008 R2.
How can I locate this issue? Any advises? KRB5_TRACE and pcap file can
be provided privately.
Regards,
Michael Osipov
PS: I triple-checked the password, so the issue is not with that.
More information about the Kerberos
mailing list