PKINIT: KDC_ERR_PA_CHECKSUM_MUST_BE_INCLUDED with Windows Server 2025 but not minikerberos
Greg Hudson
ghudson at mit.edu
Fri Mar 20 11:29:12 EDT 2026
On 3/20/26 03:13, Ayush wrote:
> With KRB5_TRACE enabled I can see the client is doing PKINIT correctly —
> loading the cert, building the DH request, and getting "Preauth module
> pkinit (16) returned: 0/Success". But then the KDC rejects with
> KDC_ERR_PA_CHECKSUM_MUST_BE_INCLUDED (-1765328305).
I would guess that it wants the new paChecksum2, which we added support
for in version 1.22. However, I don't see support for paChecksum2 in
minikerberos, so perhaps I am wrong.
If I were debugging this, my next step would be to use wireshark (or
similar) to investigate the differences between the MIT krb5
PA-PK-AS-REQ and the minikerberos one.
More information about the krbdev
mailing list