Incompatibility between krb's AES256-CTS-HMAC-SHA1-96 and Microsoft Windows Domain
Ido Shlomo
shloim at gmail.com
Thu Nov 9 10:00:06 EST 2017
The thing is that kinit works well for the user (not computer)
The problem is that I register an SPN on the DC for that user (again, not
computer) using ldap, and then I resgister the same SPN
(MSSQL/mymachine.domain.com:1433 at DOMAIN.COM). The problem occurs when an
incoming connection gives me a token that I cannot accept. The error is
that I cannot decrypt it.
On Oct 31, 2017 17:47, "Isaac Boukris" <iboukris at gmail.com> wrote:
On Tue, Oct 31, 2017 at 4:44 PM, Ido Shlomo <shloim at gmail.com> wrote:
> Since this is an automated task, I cannot generate anything outside the
> machine.
> Is it possible to specify the salt using ktutil?
You can try an AS request where the KDC tells the salt, like:
# KRB5_TRACE=/dev/tty kinit principal
btw, for user-account in AD the salt is the UPN attribute of the user.
More information about the krbdev
mailing list