Cannot authenticate with client keytab and AES128/256 against Active Directory
Todd Grayson
tgrayson at cloudera.com
Wed Jul 29 14:22:49 EDT 2015
Have you enabled AES Encryption for the account in AD?
http://blogs.msdn.com/b/openspecification/archive/2011/05/31/windows-configurations-for-kerberos-supported-encryption-type.aspx
This can, I believe, be achieved as well with group policy, as well...
On Wed, Jul 29, 2015 at 5:43 AM, Osipov, Michael <michael.osipov at siemens.com
> wrote:
> Hi,
>
> I have created a client keytab with ktutil:
>
> add_entry -password -p osipovmi at COMAPNY.NET -k 1 -e
> aes256-cts-hmac-sha1-96
> add_entry -password -p osipovmi at COMAPNY.NET -k 1 -e
> aes128-cts-hmac-sha1-96
> add_entry -password -p osipovmi at COMAPNY.NET -k 1 -e arcfour-hmac
>
> then trying to obtain a TGT with 'kinit -k -i' but all I get is:
> kinit: Invalid argument while getting initial credentials
>
> Turning on KRB5_TRACE and Wireshark, I see that the server is rejecting
> both AES ciphers from my client.
>
> If I reduce the keytab down to arcfour-hmac, all works fine.
>
> I am on FreeBSD 9.x, MIT Kerberos 1.13.2 from ports system and multiple
> Windows Server 2008 R2.
>
> How can I locate this issue? Any advises? KRB5_TRACE and pcap file can
> be provided privately.
>
> Regards,
>
> Michael Osipov
>
> PS: I triple-checked the password, so the issue is not with that.
>
>
> ________________________________________________
> Kerberos mailing list Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
>
--
Todd Grayson
Customer Operations Engineering
More information about the Kerberos
mailing list