search

jcmturner / gokrb5

Pure Go Kerberos library for clients and services
Apache License 2.0
725 stars 248 forks source link

Error decrypting encpart of service ticket #508

Open keith6014 opened 1 year ago

keith6014 commented 1 year ago

Golang 1.17 gokrb5 8.4.3

On the domain controller I have

setspn -Q HTTP/server.fqdn.edu
   HTTP/server.fqdn.edu
   HTTP/server

How I created the keytab:

I am sure the password is correct because I also do kinit -kt keytab user@fqdn.edu and it authenticates fine

How I test: 

curl --negotiate -u : http://server.fqdn.edu:8080/test

The error I keep getting is:

SPNEGO validation error: defective token detected: [Root cause: Decrypting_Error] Decrypting_Error: error decrypting encpart of service ticket provided: e
rror decrypting Ticket EncPart: error decrypting: integrity verification failed
ktutil
  rkt keytab
  list -e

slot   KVNO   Principal
____   ____   ______________________________________
1       3       HTTP/server.fqdn.edu  (arcfour-hmac)    
2       3       serviceaccount@FQDN   (arcfour-hmac)                   
... (for other encryption keys also)

Not sure where else to look

keith6014 commented 1 year ago

@jcmturner any ideas on how I can troubleshoot this?

The odd thing is, I run my process on another server and it works.

glacuesta-sa commented 1 year ago

I got that error recently, and it was due expecting encryption type to be RC4 and is using AES256, or vice-versa. I'd suggest playing with encryption types at the domain controller, disabling or enabling these two.

jcmturner commented 1 year ago

What is in the client's krb5.conf? It may be best to specify the enc type with default_tkt_enctypes