Incompatibility between krb's AES256-CTS-HMAC-SHA1-96 and Microsoft Windows Domain

Ido Shlomo shloim at
Thu Nov 9 15:03:54 EST 2017

No. I am registering an SPN for a single account.
The operation has 2 phases:
Add an entry to the local keytab using ktuil.
Add an entry to the User object in the Active Directory using openldap.

On Nov 9, 2017 20:10, "Isaac Boukris" <iboukris at> wrote:

> On Thu, Nov 9, 2017 at 5:00 PM, Ido Shlomo <shloim at> wrote:
> > The thing is that kinit works well for the user (not computer)
> > The problem is that I register an SPN on the DC for that user (again, not
> > computer) using ldap, and then I resgister the same SPN
> > (MSSQL/ at DOMAIN.COM). The problem occurs when an
> > incoming connection gives me a token that I cannot accept. The error is
> that
> > I cannot decrypt it.
> Wait, are you registering the same SPN twice to two different accounts?
> You aren't supposed to do that I think, as the KDC might encrypt the
> ticket with the key of the other principal.

More information about the krbdev mailing list