From ayushpratap16 at gmail.com Fri Mar 20 03:13:24 2026 From: ayushpratap16 at gmail.com (Ayush) Date: Fri, 20 Mar 2026 12:43:24 +0530 Subject: PKINIT: KDC_ERR_PA_CHECKSUM_MUST_BE_INCLUDED with Windows Server 2025 but not minikerberos Message-ID: Hi all, I'm running into an issue with PKINIT authentication against a Windows Server 2025 domain controller using MIT KRB5. With KRB5_TRACE enabled I can see the client is doing PKINIT correctly ? loading the cert, building the DH request, and getting "Preauth module pkinit (16) returned: 0/Success". But then the KDC rejects with KDC_ERR_PA_CHECKSUM_MUST_BE_INCLUDED (-1765328305). Interestingly, PKINITtools/gettgtpkinit.py (which uses minikerberos) works perfectly against the exact same DC with the same cert. So minikerberos is sending the required checksum but MIT KRB5 isn't. Looking at the code, I believe the checksum in question is the pkAuthenticator checksum in the PA-PK-AS-REQ. Is there a krb5.conf option to enable this, or is this a known incompatibility between MIT KRB5 and Windows Server 2025's stricter PKINIT requirements? Any pointers would be really appreciated! From ghudson at mit.edu Fri Mar 20 11:29:12 2026 From: ghudson at mit.edu (Greg Hudson) Date: Fri, 20 Mar 2026 11:29:12 -0400 Subject: PKINIT: KDC_ERR_PA_CHECKSUM_MUST_BE_INCLUDED with Windows Server 2025 but not minikerberos In-Reply-To: References: Message-ID: On 3/20/26 03:13, Ayush wrote: > With KRB5_TRACE enabled I can see the client is doing PKINIT correctly ? > loading the cert, building the DH request, and getting "Preauth module > pkinit (16) returned: 0/Success". But then the KDC rejects with > KDC_ERR_PA_CHECKSUM_MUST_BE_INCLUDED (-1765328305). I would guess that it wants the new paChecksum2, which we added support for in version 1.22. However, I don't see support for paChecksum2 in minikerberos, so perhaps I am wrong. If I were debugging this, my next step would be to use wireshark (or similar) to investigate the differences between the MIT krb5 PA-PK-AS-REQ and the minikerberos one.