[v8] AP_REQ verification failed for aes256-cts-hmac-sha1-96

Question

[v8] AP_REQ verification failed for aes256-cts-hmac-sha1-96

Opened this issue 2 years ago · 4 comments

AP_REQ verification failed for aes256-cts-hmac-sha1-96

Error:- [Root cause: Decryption_Error] Decryption_Error: error decrypting encpart of service ticket provided: error decrypting Ticket EncPart: error decrypting: integrity verification failed.

The use's ticket decryption failed for encType aes256-cts-hmac-sha1-96 VerifyIntegrity, The HMAC values does nit match. The error occurred when service's encType in AD is changed from rc4 to aes256-cts-hmac-sha1-96.

While debugging, we found that VerifyIntegrity of aes256-cts-hmac-sha1-96 uses rfc3961 and as per IETF that has beed superceded by rfc8429. Is there a plan to update to rfc8429 in near future?

rfc3961.VerifyIntegrity(protocolkey, ct, pt, usage, e)

I'm new to kerberos functionality, and looking for some help on this issue.

Answer 1 · 2022-12-05T16:13:05.000Z

The aes256-cts-hmac-sha1-96 enctype implements encryption type ID 18 and checksum type ID 16. From reading RFC 8429 these are not deprecated. I would also be a little surprised if RFC 8429 required a change to an existing enctype as this would be a breaking change for backwards compatibility. Are other users experiencing this issue?

Answer 2 · 2022-12-05T16:19:58.000Z

@jcmturner this is also happening to me and these issues as well
#416
#484

Answer 3 · 2022-12-05T16:24:02.000Z

Thanks I'll take a look into these other issues to see what's going on.

Answer 4 · 2023-02-13T13:16:20.000Z

@jcmturner Same issue as #508