79395692

Date: 2025-01-29 03:59:05
Score: 1.5
Natty:
Report link

Failing to decrypt the Kerberos ticket means the base key in the keytab is incorrect.

However, the actual cause is not necessarily what you think. You can regenerate the keytab, verify that it's correct and still get ticket decryption failure! Why?

Ticket decryption failure will occur if the SPN is set on the wrong account.

More specifically, if the target SPN is set on the wrong service account (maybe because you created a new account but the SPN was left on the old account), the KDC will issue a ticket encrypted with the base key of the "wrong" account. The client will submit that to your service but your service is using a different base key. Thus decryption failure.

Here's a nice page about Kerberos issues and fixes with a breakdown of causes of ticket decryption failure:

https://www.ioplex.com/learn/DiagnoseAndFixKerberos.html#hmac-failure

The page has some product specific references but it's applicable to Kerberos services in general.

Reasons:
  • Blacklisted phrase (0.5): Why?
  • Long answer (-0.5):
  • No code block (0.5):
  • Contains question mark (0.5):
  • Low reputation (0.5):
Posted by: squarewav