Incompatibility between krb's AES256-CTS-HMAC-SHA1-96 and Microsoft Windows Domain
iboukris at gmail.com
Thu Nov 9 13:10:33 EST 2017
On Thu, Nov 9, 2017 at 5:00 PM, Ido Shlomo <shloim at gmail.com> wrote:
> The thing is that kinit works well for the user (not computer)
> The problem is that I register an SPN on the DC for that user (again, not
> computer) using ldap, and then I resgister the same SPN
> (MSSQL/mymachine.domain.com:1433 at DOMAIN.COM). The problem occurs when an
> incoming connection gives me a token that I cannot accept. The error is
> I cannot decrypt it.
Wait, are you registering the same SPN twice to two different accounts?
You aren't supposed to do that I think, as the KDC might encrypt the ticket
with the key of the other principal.
More information about the krbdev