[v8] AP_REQ verification failed for aes256-cts-hmac-sha1-96

[karandp]

AP_REQ verification failed for aes256-cts-hmac-sha1-96

Error:- [Root cause: Decryption_Error] Decryption_Error: error decrypting encpart of service ticket provided: error decrypting Ticket EncPart: error decrypting: integrity verification failed.

The use's ticket decryption failed for encType aes256-cts-hmac-sha1-96 VerifyIntegrity, The HMAC values does nit match. The error occurred when service's encType in AD is changed from rc4 to aes256-cts-hmac-sha1-96.

While debugging, we found that VerifyIntegrity of aes256-cts-hmac-sha1-96 uses rfc3961 and as per IETF that has beed superceded by rfc8429. Is there a plan to update to rfc8429 in near future?

rfc3961.VerifyIntegrity(protocolkey, ct, pt, usage, e)

I'm new to kerberos functionality, and looking for some help on this issue.

[jcmturner]

The aes256-cts-hmac-sha1-96 enctype implements encryption type ID 18 and checksum type ID 16. From reading RFC 8429 these are not deprecated. I would also be a little surprised if RFC 8429 required a change to an existing enctype as this would be a breaking change for backwards compatibility. Are other users experiencing this issue?

[glacuesta-sa]

@jcmturner this is also happening to me and these issues as well https://github.com/jcmturner/gokrb5/issues/416 https://github.com/jcmturner/gokrb5/pull/484

[jcmturner]

Thanks I'll take a look into these other issues to see what's going on.

[keith6014]

@jcmturner Same issue as https://github.com/jcmturner/gokrb5/issues/508