Cannot authenticate with client keytab and AES128/256 against Active Directory

Osipov, Michael michael.osipov at siemens.com
Wed Jul 29 18:01:57 EDT 2015 

> On 07/29/2015 07:43 AM, Osipov, Michael wrote:
> > add_entry -password -p osipovmi at COMAPNY.NET -k 1 -e
> > aes256-cts-hmac-sha1-96 add_entry -password -p osipovmi at COMAPNY.NET -k
> > 1 -e aes128-cts-hmac-sha1-96 add_entry -password -p
> > osipovmi at COMAPNY.NET -k 1 -e arcfour-hmac
> [...]
> > kinit: Invalid argument while getting initial credentials
> 
> Your primary problem here has to do with salts.  From the trace logs you provided
> me, the salt string for this principal was constructed using the principal name
> michael.osipov at COMAPNY.NET (not the actual realm name), not
> osipovmi at COMAPNY.NET.  ktutil unfortunately has no way to specify the salt
> string or to retrieve it from the KDC; it can only use the default salt for the principal
> name when adding a keytab entry using a password.  The RC4 enctype does not
> use the salt, so you don't encounter this problem when using only an RC4 key.
> 
> I believe that people generally have better luck with msktutil for creating keytabs
> for use with Active Directory; it may solve this problem.
> 
> The secondary problem is that you are getting the error message "Invalid
> argument" instead of something more accurate, like "Password incorrect"
> or "Preauthentication failed."  I don't know the exact cause of this problem yet,
> though I believe it has to do with our PKINIT code.

After some research I have stumbled upon this thread: http://kerberos.996246.n3.nabble.com/ktutil-problems-generating-AES-keys-salt-td41104.html

This is the exact same problem I have. Greg, you have already mentioned back then it would be nice to provide a custom salt.
Nonetheless, Mark Pröhl provided a workaround for this. Annoying, but I was able to obtain a TGT and kinit.trace looks good now.

For the shortcomings in msktutil, I will contact Mark and see how we can improve that stuff.
Regarding ktutil, I'd love to see the AS-REQ to look up the salt but I would already be happy with a -salt switch.
Do you think we could get this in a foreseeable future?

Michael

More information about the Kerberos mailing list