PKINIT: KDC_ERR_PA_CHECKSUM_MUST_BE_INCLUDED with Windows Server 2025 but not minikerberos
Ayush
ayushpratap16 at gmail.com
Fri Mar 20 03:13:24 EDT 2026
Hi all,
I'm running into an issue with PKINIT authentication against a Windows
Server 2025 domain controller using MIT KRB5.
With KRB5_TRACE enabled I can see the client is doing PKINIT correctly —
loading the cert, building the DH request, and getting "Preauth module
pkinit (16) returned: 0/Success". But then the KDC rejects with
KDC_ERR_PA_CHECKSUM_MUST_BE_INCLUDED (-1765328305).
Interestingly, PKINITtools/gettgtpkinit.py (which uses minikerberos) works
perfectly against the exact same DC with the same cert. So minikerberos is
sending the required checksum but MIT KRB5 isn't.
Looking at the code, I believe the checksum in question is the
pkAuthenticator checksum in the PA-PK-AS-REQ. Is there a krb5.conf option
to enable this, or is this a known incompatibility between MIT KRB5 and
Windows Server 2025's stricter PKINIT requirements?
Any pointers would be really appreciated!
More information about the krbdev
mailing list