Kerberos ticket : TGT failed verification using key for host principal [Decrypt integrity check failed]

Solution Verified - Updated -

Issue

  • Unable to identify the reason of Decrypt integrity check failed.
  • TGT verification failed
(2023-11-15  8:15:51): [krb5_child[80049]] [unpack_buffer] (0x0100): [RID#109] cmd [241 (auth)] uid [2115633] gid [2115633] validate [true] enterprise principal [false] offline [false] UPN [test@EXAMPLE.COM]
(2023-11-15  8:15:51): [krb5_child[80049]] [unpack_buffer] (0x2000): [RID#109] No old ccache
(2023-11-15  8:15:51): [krb5_child[80049]] [unpack_buffer] (0x0100): [RID#109] ccname: [KCM:] old_ccname: [not set] keytab: [/etc/krb5.keytab]
(2023-11-15  8:15:51): [krb5_child[80049]] [k5c_precreate_ccache] (0x4000): [RID#109] Recreating ccache
(2023-11-15  8:15:51): [krb5_child[80049]] [k5c_setup_fast] (0x0100): [RID#109] Fast principal is set to [host/test1.idm.example.com]
(2023-11-15  8:15:51): [krb5_child[80049]] [find_principal_in_keytab] (0x4000): [RID#109] Trying to find principal host/test1.idm.example.com in keytab.
(2023-11-15  8:15:51): [krb5_child[80049]] [match_principal] (0x1000): [RID#109] Principal matched to the sample (host/test1.idm.example.com).
(2023-11-15  8:15:51): [krb5_child[80049]] [check_fast_ccache] (0x0200): [RID#109] FAST TGT is still valid.
(2023-11-15  8:15:51): [krb5_child[80049]] [become_user] (0x0200): [RID#109] Trying to become user [2115633][2115633].
(2023-11-15  8:15:51): [krb5_child[80049]] [main] (0x2000): [RID#109] Running as [2115633][2115633].
(2023-11-15  8:15:51): [krb5_child[80049]] [set_lifetime_options] (0x0100): [RID#109] No specific renewable lifetime requested.
(2023-11-15  8:15:51): [krb5_child[80049]] [set_lifetime_options] (0x0100): [RID#109] No specific lifetime requested.
(2023-11-15  8:15:51): [krb5_child[80049]] [set_canonicalize_option] (0x0100): [RID#109] Canonicalization is set to [true]
...
(2023-11-15  8:15:51): [krb5_child[80049]] [tgt_req_child] (0x1000): [RID#109] Attempting to get a TGT <---
(2023-11-15  8:15:51): [krb5_child[80049]] [get_and_save_tgt] (0x0400): [RID#109] Attempting kinit for realm [EXAMPLE.COM]
(2023-11-15  8:15:51): [krb5_child[80049]] [sss_child_krb5_trace_cb] (0x4000): [RID#109] [80049] 1700036151.728077: Getting initial credentials for test@EXAMPLE.COM

(2023-11-15  8:15:51): [krb5_child[80049]] [sss_child_krb5_trace_cb] (0x4000): [RID#109] [80049] 1700036151.728078: FAST armor ccache: MEMORY:/var/lib/sss/db/fast_

(2023-11-15  8:15:51): [krb5_child[80049]] [sss_child_krb5_trace_cb] (0x4000): [RID#109] [80049] 1700036151.728079: Retrieving host/test1.idm.example.com -> krb5_ccache_conf_data/fast_EXAMPLE.COM\fast_ with result: -1765328243/Matching credential not found
...
(2023-11-15  8:15:51): [krb5_child[80049]] [sss_child_krb5_trace_cb] (0x4000): [RID#109] [80049] 1700036151.728093: Selected etype info: etype aes256-cts, salt "EXAMPLE.COM.
...
(2023-11-15  8:15:51): [krb5_child[80049]] [sss_krb5_responder] (0x4000): [RID#109] Got question [password].
...
(2023-11-15  8:15:51): [krb5_child[80049]] [sss_child_krb5_trace_cb] (0x4000): [RID#109] [80049] 1700036151.728096: AS key obtained for encrypted timestamp: aes256-cts/0067
...
(2023-11-15  8:15:51): [krb5_child[80049]] [sss_child_krb5_trace_cb] (0x4000): [RID#109] [80049] 1700036151.728129: Sending request (2131 bytes) to EXAMPLE.COM
(2023-11-15  8:15:51): [krb5_child[80049]] [sss_child_krb5_trace_cb] (0x4000): [RID#109] [80049] 1700036151.728137: TGS reply is for test@EXAMPLE.COM -> krbtgt/IDM.EXAMPLE.COM@ with session key aes256-cts/FB43

(2023-11-15  8:15:51): [krb5_child[80049]] [sss_child_krb5_trace_cb] (0x4000): [RID#109] [80049] 1700036151.728138: TGS request result: 0/Success

(2023-11-15  8:15:51): [krb5_child[80049]] [sss_child_krb5_trace_cb] (0x4000): [RID#109] [80049] 1700036151.728139: Storing test@EXAMPLE.COM -> krbtgt/IDM.EXAMPLE.COM@ in MEMORY:6LKnQ67

(2023-11-15  8:15:51): [krb5_child[80049]] [sss_child_krb5_trace_cb] (0x4000): [RID#109] [80049] 1700036151.728140: Received TGT for service realm: krbtgt/IDM.EXAMPLE.COM@

(2023-11-15  8:15:51): [krb5_child[80049]] [sss_child_krb5_trace_cb] (0x4000): [RID#109] [80049] 1700036151.728141: Requesting tickets for host/test1.idm.example.com, referrals on
.......
(2023-11-15  8:15:51): [krb5_child[80049]] [sss_child_krb5_trace_cb] (0x4000): [RID#109] [80049] 1700036151.728152: TGS request result: -1765328353/Decrypt integrity check failed

(2023-11-15  8:15:51): [krb5_child[80049]] [sss_child_krb5_trace_cb] (0x4000): [RID#109] [80049] 1700036151.728153: Requesting tickets for host/test1.idm.example.com, referrals off

(2023-11-15  8:15:51): [krb5_child[80049]] [sss_child_krb5_trace_cb] (0x4000): [RID#109] [80049] 1700036151.728154: Generated subkey for TGS request: aes256-cts/EFAB

(2023-11-15  8:15:51): [krb5_child[80049]] [sss_child_krb5_trace_cb] (0x4000): [RID#109] [80049] 1700036151.728155: etypes requested in TGS request: aes256-cts, aes256-sha2, aes128-sha2, aes128-cts <---

(2023-11-15  8:15:51): [krb5_child[80049]] [sss_child_krb5_trace_cb] (0x4000): [RID#109] [80049] 1700036151.728157: Encoding request body and padata into FAST request

(2023-11-15  8:15:51): [krb5_child[80049]] [sss_child_krb5_trace_cb] (0x4000): [RID#109] [80049] 1700036151.728158: Sending request (2150 bytes) to IDM.EXAMPLE.COM

(2023-11-15  8:15:51): [krb5_child[80049]] [sss_child_krb5_trace_cb] (0x4000): [RID#109] [80049] 1700036151.728159: Initiating TCP connection to stream 10.0.0.1:88

(2023-11-15  8:15:51): [krb5_child[80049]] [sss_child_krb5_trace_cb] (0x4000): [RID#109] [80049] 1700036151.728160: Sending TCP request to stream 10.0.0.1:88

(2023-11-15  8:15:51): [krb5_child[80049]] [sss_child_krb5_trace_cb] (0x4000): [RID#109] [80049] 1700036151.728161: Received answer (132 bytes) from stream 10.0.0.1:88

(2023-11-15  8:15:51): [krb5_child[80049]] [sss_child_krb5_trace_cb] (0x4000): [RID#109] [80049] 1700036151.728162: Terminating TCP connection to stream 10.0.0.1:88

(2023-11-15  8:15:51): [krb5_child[80049]] [sss_child_krb5_trace_cb] (0x4000): [RID#109] [80049] 1700036151.728163: Response was from primary KDC

(2023-11-15  8:15:51): [krb5_child[80049]] [sss_child_krb5_trace_cb] (0x4000): [RID#109] [80049] 1700036151.728164: TGS request result: -1765328353/Decrypt integrity check failed <--

(2023-11-15  8:15:51): [krb5_child[80049]] [sss_child_krb5_trace_cb] (0x4000): [RID#109] [80049] 1700036151.728165: Destroying ccache MEMORY:6LKnQ67

(2023-11-15  8:15:51): [krb5_child[80049]] [validate_tgt] (0x0020): [RID#109] TGT failed verification using key for [host/test1.idm.example.com]. <--
(2023-11-15  8:15:51): [krb5_child[80049]] [get_and_save_tgt] (0x0020): [RID#109] 2046: [-1765328353][Decrypt integrity check failed] <---
(2023-11-15  8:15:51): [krb5_child[80049]] [map_krb5_error] (0x0020): [RID#109] 2138: [-1765328353][Decrypt integrity check failed] <--

Environment

  • Red Hat Enterprise Linux 9.2
  • kerberos
  • sssd
  • ipa
  • ipa-ad trust

Subscriber exclusive content

A Red Hat subscription provides unlimited access to our knowledgebase, tools, and much more.

Current Customers and Partners

Log in for full access

Log In

New to Red Hat?

Learn more about Red Hat subscriptions

Using a Red Hat product through a public cloud?

How to access this content