Incompatibility between krb's AES256-CTS-HMAC-SHA1-96 and Microsoft Windows Domain

Isaac Boukris iboukris at
Tue Oct 31 11:47:00 EDT 2017

On Tue, Oct 31, 2017 at 4:44 PM, Ido Shlomo <shloim at> wrote:
> Since this is an automated task, I cannot generate anything outside the
> machine.
> Is it possible to specify the salt using ktutil?

You can try an AS request where the KDC tells the salt, like:
# KRB5_TRACE=/dev/tty kinit principal

btw, for user-account in AD the salt is the UPN attribute of the user.

More information about the krbdev mailing list