Have you enabled AES Encryption for the account in AD? http://blogs.msdn.com/b/openspecification/archive/2011/05/31/windows-configurations-for-kerberos-supported-encryption-type.aspx
This can, I believe, be achieved as well with group policy, as well... On Wed, Jul 29, 2015 at 5:43 AM, Osipov, Michael <michael.osi...@siemens.com > wrote: > Hi, > > I have created a client keytab with ktutil: > > add_entry -password -p osipo...@comapny.net -k 1 -e > aes256-cts-hmac-sha1-96 > add_entry -password -p osipo...@comapny.net -k 1 -e > aes128-cts-hmac-sha1-96 > add_entry -password -p osipo...@comapny.net -k 1 -e arcfour-hmac > > then trying to obtain a TGT with 'kinit -k -i' but all I get is: > kinit: Invalid argument while getting initial credentials > > Turning on KRB5_TRACE and Wireshark, I see that the server is rejecting > both AES ciphers from my client. > > If I reduce the keytab down to arcfour-hmac, all works fine. > > I am on FreeBSD 9.x, MIT Kerberos 1.13.2 from ports system and multiple > Windows Server 2008 R2. > > How can I locate this issue? Any advises? KRB5_TRACE and pcap file can > be provided privately. > > Regards, > > Michael Osipov > > PS: I triple-checked the password, so the issue is not with that. > > > ________________________________________________ > Kerberos mailing list Kerberos@mit.edu > https://mailman.mit.edu/mailman/listinfo/kerberos > -- Todd Grayson Customer Operations Engineering ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
