Incompatibility between krb's AES256-CTS-HMAC-SHA1-96 and Microsoft Windows Domain

Andreas Schneider asn at
Fri Nov 10 05:28:11 EST 2017

On Thursday, 9 November 2017 16:00:37 CET Ido Shlomo wrote:
> The thing is that kinit works well for the user (not computer)
> The problem is that I register an SPN on the DC for that user (again, not
> computer) using ldap, and then I resgister the same SPN
> (MSSQL/ at DOMAIN.COM). The problem occurs when an
> incoming connection gives me a token that I cannot accept. The error is
> that I cannot decrypt it.

Looking at the keysalt list of kdc.conf it looks like MIT Kerberos doesn't 
support the salts used by Microsoft. You would need to extend it so you can 

kadmin -e aes256-cts:msft,aes128-cts:msft to generate correct keys


More information about the krbdev mailing list