Issue in generating Authenticator Data in AP_REQ

Sankar Das sankar_das at
Wed Aug 29 12:48:24 EDT 2012

Hi Greg
Thanks for the hints. It was really helpful. I have now able to generate the Authenticator data properly for TGS-REQ. I need some more help.
1. I am trying to use GSS-API. I am not sure how the Authenticator data is generated for the AP-REQ embedded in negTokenInit part of GSS-API. Is it generated in the same way as in TGS-REQ using the same key?
2. Is there any example program in MIT Kerberos source code distribution for the same? 
Thanks again for your help.

--- On Tue, 8/21/12, Greg Hudson <ghudson at MIT.EDU> wrote:

From: Greg Hudson <ghudson at MIT.EDU>
Subject: Re: Issue in generating Authenticator Data in AP_REQ
To: "Sankar Das" <sankar_das at>
Cc: krbdev at
Date: Tuesday, August 21, 2012, 10:17 PM

On 08/21/2012 08:22 AM, Sankar Das wrote:
> Still I am facing the same problem i.e. "Decrypt integrity check
> failed". Now I am sending the checksum as part of the authenticator
> data. Is there any way to know what part of my authenticator data is wrong?

That error generally indicates a problem decrypting the EncryptedData
and verifying its integrity, not a problem with the decrypted contents
of the Authenticator.

You haven't said how you're invoking OpenSSL, but I don't believe
OpenSSL has direct support for doing RFC 3961 encryption.  If you are
just doing something like an OpenSSL CBC encryption to populate an
EncryptedData cipher element, that's not going to work.

More information about the krbdev mailing list