message size incompatible with type error for krb5-1.9 lib using Windows 2003 KDC

Douglas E. Engert deengert at
Wed Feb 16 14:20:29 EST 2011

On 2/16/2011 12:06 PM, Elzey, Blaine A (Blaine) wrote:
> Using adsiedit to manually modify the UserAccountControl Integer to include the NO_AUTH_DATA_REQUIRED bit (2097664 + 33554432 = 35652096) and that did not work.  Perhaps my Win2003SP2 still needs some Hotfix, but my dll versions are newer than the what is specified in the article.  The Hotfix download page said the release was Windows 2003 SP1 (x86), but I have 2003 SP2 (x86).  The UserAccountControl value that works is 6291968, set no preauth for user from account properties.  Is there another way to set the NO_AUTH_DATA_REQ other than adsiedit or did I need to perform some refresh to make the adsiedit change take affect?  I am reluctant to apply the Hotfix.

That is 0x2200200.
You also have the USE_DES_KEY_ONLY bit (0x200000) turned on, so the Windows DC will
assume the machine can only do DES. So that may be why the PAC signature
is using DES.

How did you setup the keytab for the server?  ktpass I presume.

You could look at using AES and/or arcfour for the service keys,
rather the DES.

>> From the Hotfix KB:
> Date         Time   Version       Size     File name
>     -------------------------------------------------------
>     14-Sep-2004  16:26  5.2.3790.210  226,816  Kdcsvc.dll
>     14-Sep-2004  16:26  5.2.3790.210  324,608  Netapi32.dll
>     14-Sep-2004  16:26  5.2.3790.210  464,384  Samsrv.dll
> I have:
> kdcsvc.dll       5.2.3790.3959
> netapi32.dll    5.2.3790.3959
> samsrv.dll       5.3.3790.3959
> Blaine


  Douglas E. Engert  <DEEngert at>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444

More information about the krbdev mailing list