KRB5_KDCREP_MODIFIED - KDC reply did not match expectations error

Henry B. Hotz hotz at
Wed Oct 8 15:56:57 EDT 2008

On Oct 8, 2008, at 8:56 AM, krbdev-request at wrote:

> Date: Tue, 7 Oct 2008 21:46:20 -0400
> From: "Stephen Ince" <since at>
> Subject: KRB5_KDCREP_MODIFIED - KDC reply did not match expectations
>        error
> To: "krbdev" <krbdev at>
> Message-ID: <3c0801c928e7$a9968460$6e00a8c0 at desktop2>
> Content-Type: text/plain; format=flowed; charset="iso-8859-1";
>        reply-type=original
> Hi, I am very new to kerberos. I am trying to connect to ad kdc  
> server and I
> am getting the following error.
> KRB5_KDCREP_MODIFIED - KDC reply did not match expectations.
> The call is the following.
>    err = krb5_get_in_tkt_with_password(
>        krb5->context,
>        kdcFlags, NULL, NULL, NULL, password, krb5->ccache,
> &krb5->credentials, 0);
> I am missing some additional setup. I have this call working when I  
> use a
> kfw kerberos server.  Basically I am doing the following.
> krb5_init_context(..
> krb5_parse_name(.
> krb5_build_principal_ext(..
> krb5_cc_resolve(..
> krb5_cc_initialize(..
> krb5_get_in_tkt_with_password(..
> Steve

There seem to be two ways this error can happen "in the wild".  1) if  
you are using a Microsoft KDC and the case of the requested principal  
differs from what's in the server's database.  (I've not seen this  
myself.)  2) if you have a Heimdal KDC, the request has the  
renewable_ok flag set, and the time limits are set to allow extension  
of the renewable time limit as that flag suggests.

I've seen the latter with the Sun pam_krb5 module.  The MIT code  
doesn't generally produce requests matching case 2).  IIRC the  
relevant code is in src/lib/krb5/krb/get_in_tkt.c, and 1.6.1b1 does  
not appear to have been fixed.

The opinions expressed in this message are mine,
not those of Caltech, JPL, NASA, or the US Government.
Henry.B.Hotz at, or hbhotz at

More information about the krbdev mailing list