Kerberos failed with krb5krb_AP_ERR_ BAD_INTEGRITY

classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

Kerberos failed with krb5krb_AP_ERR_ BAD_INTEGRITY

Ashi1986
Hi All ,

This is my setup .

windows 8.1 64 bit
windows 2012 R2 server AD and KDC .
BS2000 with MIT kerberos 1.13.2

I generate keytab for  SPN using this command  :

ktpass -princ host/<Host name>@domain name -mapuser <domain name\domain user pass> pass <password> -crypto RC4-HMAC-NT -ptype KRB5_NT_PRINCIPAL -out C:\KeyTab\HMAC7U6.keytab

I am trying to decrypt AP_REQ using this keytab.
I looked at kvno, encryption type and everything else matches.

while configuring the DES-CBC-CRC and DES-CBC-MD5 it works fine and Kerberos connection established.

Why would this fail while decrypting the packet in krb5_c_decrypt -> krb5_k_decrypt -> krb5int_arcfour_decrypt
returning KRB5KRB_AP_ERR_BAD_INTEGRITY?
I have tried debugging it abut I don’t find a reason why it is failing.

Any help would be appreciated !!!

Thanks & Regards
________________________________________________
Kerberos mailing list           [hidden email]
https://mailman.mit.edu/mailman/listinfo/kerberos
Reply | Threaded
Open this post in threaded view
|

RE: Kerberos failed with krb5krb_AP_ERR_ BAD_INTEGRITY

Osipov, Michael
> Hi All ,
>
> This is my setup .
>
> windows 8.1 64 bit
> windows 2012 R2 server AD and KDC .
> BS2000 with MIT kerberos 1.13.2
>
> I generate keytab for  SPN using this command  :
>
> ktpass -princ host/<Host name>@domain name -mapuser <domain name\domain
> user pass> pass <password> -crypto RC4-HMAC-NT -ptype KRB5_NT_PRINCIPAL -
> out C:\KeyTab\HMAC7U6.keytab
>
> I am trying to decrypt AP_REQ using this keytab.
> I looked at kvno, encryption type and everything else matches.
>
> while configuring the DES-CBC-CRC and DES-CBC-MD5 it works fine and
> Kerberos connection established.
>
> Why would this fail while decrypting the packet in krb5_c_decrypt ->
> krb5_k_decrypt -> krb5int_arcfour_decrypt
> returning KRB5KRB_AP_ERR_BAD_INTEGRITY?
> I have tried debugging it abut I don't find a reason why it is failing.

Consider using msktutil(1), it does a very good job with the Active Directory.

Michael

________________________________________________
Kerberos mailing list           [hidden email]
https://mailman.mit.edu/mailman/listinfo/kerberos
Reply | Threaded
Open this post in threaded view
|

RE: Kerberos failed with krb5krb_AP_ERR_ BAD_INTEGRITY

Ashi1986
Thanks for the response.

>Consider using msktutil(1), it does a very good job with the Active Directory.

I am using BS2000 machine as server, and on BS2000 it is not required to merge the keytab files, on BS2000 only /ADD-KEYTAB-ENTRY and /MODIFY-LOGON-PROTECTION need to performed.

Thank You
Reply | Threaded
Open this post in threaded view
|

RE: Kerberos failed with krb5krb_AP_ERR_ BAD_INTEGRITY

Ashi1986
In reply to this post by Osipov, Michael
>>Consider using msktutil(1), it does a very good job with the Active Directory.

After creating the keytab file by using the KTPASS command, keytab file is added in BS2000 machine and connection test becomes successful for encryption types RC4_HMAC_NT, AES128-SHA1, AES256-SHA1, DES_CBC_CRC and DES_CBC_MD5.

But the connection test for encryption type DES_CBC_CRC and DES_CBC_MD5 becomes successful without adding the keytab file in BS2000.

can you please suggest what settings need to be done in order to perform the connection test for encryption type RC4_HMAC_NT, AES128-SHA1 and AES256-SHA1 without adding the KEYTAB file in BS2000.