Kerberos failed with krb5krb_AP_ERR_ BAD_INTEGRITY

Osipov, Michael michael.osipov at siemens.com
Tue Mar 21 04:38:03 EDT 2017


> Hi All ,
> 
> This is my setup .
> 
> windows 8.1 64 bit
> windows 2012 R2 server AD and KDC .
> BS2000 with MIT kerberos 1.13.2
> 
> I generate keytab for  SPN using this command  :
> 
> ktpass -princ host/<Host name>@domain name -mapuser <domain name\domain
> user pass> pass <password> -crypto RC4-HMAC-NT -ptype KRB5_NT_PRINCIPAL -
> out C:\KeyTab\HMAC7U6.keytab
> 
> I am trying to decrypt AP_REQ using this keytab.
> I looked at kvno, encryption type and everything else matches.
> 
> while configuring the DES-CBC-CRC and DES-CBC-MD5 it works fine and
> Kerberos connection established.
> 
> Why would this fail while decrypting the packet in krb5_c_decrypt ->
> krb5_k_decrypt -> krb5int_arcfour_decrypt
> returning KRB5KRB_AP_ERR_BAD_INTEGRITY?
> I have tried debugging it abut I don't find a reason why it is failing.

Consider using msktutil(1), it does a very good job with the Active Directory.

Michael



More information about the Kerberos mailing list