[19677] in Kerberos_V5_Development

home help back first fref pref prev next nref lref last post

Re: Incompatibility between krb's AES256-CTS-HMAC-SHA1-96 and

daemon@ATHENA.MIT.EDU (Isaac Boukris)
Thu Nov 9 13:10:57 2017

MIME-Version: 1.0
In-Reply-To: <CAK8_kV+2RqaN5EauyyEM+iOfWwdvriqeU2GLkUcTvd=aCbV2hw@mail.gmail.com>
From: Isaac Boukris <iboukris@gmail.com>
Date: Thu, 9 Nov 2017 20:10:33 +0200
Message-ID: <CAC-fF8QumBBaGsV_8mtK_M=oy=S9tLGdFW2CyONRfPUfKMC+KQ@mail.gmail.com>
To: Ido Shlomo <shloim@gmail.com>
Cc: krbdev@mit.edu, Simo Sorce <simo@redhat.com>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: krbdev-bounces@mit.edu

On Thu, Nov 9, 2017 at 5:00 PM, Ido Shlomo <shloim@gmail.com> wrote:
> The thing is that kinit works well for the user (not computer)
> The problem is that I register an SPN on the DC for that user (again, not
> computer) using ldap, and then I resgister the same SPN
> (MSSQL/mymachine.domain.com:1433@DOMAIN.COM). The problem occurs when an
> incoming connection gives me a token that I cannot accept. The error is
that
> I cannot decrypt it.

Wait, are you registering the same SPN twice to two different accounts?
You aren't supposed to do that I think, as the KDC might encrypt the ticket
with the key of the other principal.
_______________________________________________
krbdev mailing list             krbdev@mit.edu
https://mailman.mit.edu/mailman/listinfo/krbdev

home help back first fref pref prev next nref lref last post