pbkdf2_string_to_key generating wrong encryption key

Ashi1986 vermaashish_mca at hotmail.com
Tue Sep 19 08:58:35 EDT 2017

Hi All , 

This is my setup . 

windows 8.1 64 bit 
windows 2012 R2 server AD and KDC . 
BS2000 with MIT kerberos 1.13.2 

I generate keytab for  SPN using this command  : 

ktpass -princ host/<Host name>@domain name -mapuser <domain name\domain user
pass> pass <password> -crypto AES256-SHA1 -ptype KRB5_NT_PRINCIPAL -out

I am trying to decrypt AP_REQ using this keytab. 
I looked at kvno, encryption type and everything else matches. 

while configuring the DES-CBC-CRC, DES-CBC-MD5, RC4-HMAC-NT it works fine
and Kerberos connection established. 

while decrypting the packet in krb5_c_decrypt -> krb5_k_decrypt ->

In case of encryption type AES128-SHA1 and AES256-SHA1, It is noticed that
keys generated from the password by using the function
[lib/crypto/krb/string_to_key.c\krb5_c_string_to_key] is different from the
key generated with the same password with KTPASS command. 

In case of DES-CBC-CRC and DES-CBC-MD5, RC4-HMAC-NT generated keys are
exactly matched with the keys generated by KTPASS command. 

Therefore kerberos connection becomes successful with the encryption type
DES-CBC-CRC, DES-CBC-MD5 and RC4-HMAc-NT and connection gets failed with
error code KRB5KRB_AP_ERR_BAD_INTEGRITY with the encryption type AES128-SHA1
and AES256-SHA1.

salt generated with MIT sources is exactly same as salt used in KTPASS

Please suggest how to fix this problem. 

Any help would be appreciated !!! 

Thanks & Regards 

Sent from: http://kerberos.996246.n3.nabble.com/Kerberos-General-f11810.html

More information about the Kerberos mailing list