-
Notifications
You must be signed in to change notification settings - Fork 242
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Keytab created for etype AES256/AES128 does not work with Active Directory #416
Comments
@dasbh I'm having problems decrypting successfully emitted Kerberos tickets w/ AES256_CTS_HMAC_SHA1_96 from Active Directory, everything else works but the service that implements IWA aroung gokrb5, this may be the reason? |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Current keytab.AddEntry(..) adds salts derived from the PrincipalName. This does not work in AD for AES* since Microsoft decided to implement it differently.
To deal with the issue ktutil in Linux added additional param to specify salt in version krb5-1.16-final
Supporting a similar change in gokrb5 is a minor change (maybe an additional method or option pattern) as
crypto.GetKeyFromPassword
already supports salts as PADATA.Happy to provide PR.
INFO: AD salt derivation logic
AD uses the below algorithm for deriving salt.
For computer account:
(Note: samaccountname_nodollar is lower case for machine accounts)
(Note: only for DES/AES; arcfour-hmac-md5 doesn't use salts at all)
Salt for service accounts is created in a different way
(Note: samAccountName is case sensitive for service accounts)
Reference:
https://syfuhs.net/2017/07/09/on-adding-aes-support-to-kerberos-net/
http://kerberos.996246.n3.nabble.com/Creating-a-keytab-for-an-AD-user-td48559.html
http://kerberos.996246.n3.nabble.com/ktutil-problems-generating-AES-keys-salt-td41104.html
The text was updated successfully, but these errors were encountered: