Cannot authenticate with client keytab and AES128/256 against Active Directory

Greg Hudson ghudson at mit.edu
Wed Jul 29 13:05:25 EDT 2015


On 07/29/2015 07:43 AM, Osipov, Michael wrote:
> add_entry -password -p osipovmi at COMAPNY.NET -k 1 -e aes256-cts-hmac-sha1-96
> add_entry -password -p osipovmi at COMAPNY.NET -k 1 -e aes128-cts-hmac-sha1-96
> add_entry -password -p osipovmi at COMAPNY.NET -k 1 -e arcfour-hmac
[...]
> kinit: Invalid argument while getting initial credentials

Your primary problem here has to do with salts.  From the trace logs you
provided me, the salt string for this principal was constructed using
the principal name michael.osipov at COMAPNY.NET (not the actual realm
name), not osipovmi at COMAPNY.NET.  ktutil unfortunately has no way to
specify the salt string or to retrieve it from the KDC; it can only use
the default salt for the principal name when adding a keytab entry using
a password.  The RC4 enctype does not use the salt, so you don't
encounter this problem when using only an RC4 key.

I believe that people generally have better luck with msktutil for
creating keytabs for use with Active Directory; it may solve this problem.

The secondary problem is that you are getting the error message "Invalid
argument" instead of something more accurate, like "Password incorrect"
or "Preauthentication failed."  I don't know the exact cause of this
problem yet, though I believe it has to do with our PKINIT code.


More information about the Kerberos mailing list