wrong key is generated by krb5_c_string_to_key

Mark Pröhl mark at mproehl.net
Mon Jun 5 11:51:03 EDT 2017

On 06/02/2017 02:29 PM, Ashi1986 wrote:
> Hi All ,
> This is my setup .
> windows 8.1 64 bit
> windows 2012 R2 server AD and KDC .
> BS2000 with MIT kerberos 1.13.2
> I generate keytab for  SPN using this command  :
> ktpass -princ host/<Host name>@domain name -mapuser <domain name\domain user
> pass> pass <password> -crypto RC4-HMAC-NT -ptype KRB5_NT_PRINCIPAL -out
> C:\KeyTab\HMAC7U6.keytab
> I am trying to decrypt AP_REQ using this keytab.
> I looked at kvno, encryption type and everything else matches.
> while configuring the DES-CBC-CRC and DES-CBC-MD5 it works fine and Kerberos
> connection established.
> while decrypting the packet in krb5_c_decrypt -> krb5_k_decrypt ->
> krb5int_arcfour_decrypt
> In case of encryption type RC4-HMAC, AES128-SHA1 and AES256-SHA1, It is
> noticed that keys generated from the password by using the function
> [lib/crypto/krb/string_to_key.c\*krb5_c_string_to_key*] is different from
> the key generated with the same password with KTPASS command.
> In case of DES-CBC-CRC and DES-CBC-MD5, generated keys are exactly matched
> with the keys generated by KTPASS command.
> Therefore kerberos connection becomes successful with the encryption type
> DES-CBC-CRC and DES-CBC-MD5 and connection gets failed with error code
> KRB5KRB_AP_ERR_BAD_INTEGRITY with the encryption type RC4-HMAC, AES128-SHA1
> and AES256-SHA1.
> Please suggest how to fix this problem.
> Any help would be appreciated !!!
> Thanks & Regards

If I do understand you correct, the keytab with the invalid RC4 and AES 
keys is generated with ktpass.exe. If so, how should that be related to 
the krb5_c_string_to_key function from MIT Kerberos?

And did you try to use msktutil instead of ktpass.exe?

- Mark

More information about the Kerberos mailing list