Incompatibility between krb's AES256-CTS-HMAC-SHA1-96 and Microsoft Windows Domain
Andreas Schneider
asn at samba.org
Fri Nov 10 05:28:11 EST 2017
On Thursday, 9 November 2017 16:00:37 CET Ido Shlomo wrote:
> The thing is that kinit works well for the user (not computer)
> The problem is that I register an SPN on the DC for that user (again, not
> computer) using ldap, and then I resgister the same SPN
> (MSSQL/mymachine.domain.com:1433 at DOMAIN.COM). The problem occurs when an
> incoming connection gives me a token that I cannot accept. The error is
> that I cannot decrypt it.
Looking at the keysalt list of kdc.conf it looks like MIT Kerberos doesn't
support the salts used by Microsoft. You would need to extend it so you can
do:
kadmin -e aes256-cts:msft,aes128-cts:msft to generate correct keys
Andreas
More information about the krbdev
mailing list