This discussion is archived
4 Replies Latest reply: Jul 22, 2010 4:32 AM by 843810 RSS

"Cannot find key of appropriate type to decrypt"  error again - W2k8

843810 Newbie
Currently Being Moderated
Getting "Cannot find key of appropriate type to decrypt AP REP - AES256 CTS mode with HMAC SHA1-96" when working with a Java (using JDK 1.6.0_18) application that is mimicking what is happening within OpenSSO's WindowsSSO module (where the problem started). I have searched the forum and whilst there are similar questions, none of the solutions fit. I have tried a lot of different permutations of the ktpass command and most lead back to here. When using the /crypto ALL param in ktpass the problem switches to checksum errors.

The keytab file was generated using the following parameters:
ktpass /mapuser OPENSSOHOST@CONTOSO.LOCAL /out c:\temp\openssohost.HTTP.keytab /princ HTTP/OPENSSOHOST.contoso.local@CONTOSO.LOCAL /ptype KRB5_NT_PRINCIPAL /pass Passw0rd
Targeting domain controller: DC1W.contoso.local
Using legacy password setting method
Successfully mapped HTTP/OPENSSOHOST.contoso.local to openssohost.
Key created.
Output keytab to c:\temp\openssohost.HTTP.keytab:
Keytab version: 0x502
keysize 79 HTTP/OPENSSOHOST.contoso.local@CONTOSO.LOCAL ptype 1 (KRB5_NT_PRINCIPAL) vno 3 etype 0x17 (RC4-HMAC) keylength 16 0xa87f3a337d73085c45f9416be5787d86)
I created a standalone application to save me time when trying different permutations of keytab file generation using different ktpass parameters. The Java app is running against a Windows 2008 Server SP2 AD/KDC. Here is the exception/debug output from the application using the -Dsun.security.spnego.debug=true and -Dsun.security.krb5.debug=true flags:
Config name: C:\Windows\krb5.ini
     KeyTabInputStream, readName(): CONTOSO.LOCAL
     KeyTabInputStream, readName(): HTTP
     KeyTabInputStream, readName(): OPENSSOHOST.contoso.local
     KeyTab: load() entry length: 79; type: 23
Added key: 23version: 3
Ordering keys wrt default_tkt_enctypes list
Using builtin default etypes for default_tkt_enctypes
default etypes for default_tkt_enctypes: 3 1 23 16 17 18.
Using builtin default etypes for default_tkt_enctypes
default etypes for default_tkt_enctypes: 3 1 23 16 17 18.
    KrbAsReq calling createMessage
    KrbAsReq in createMessage
    KrbKdcReq send: kdc=dc1w.contoso.local UDP:88, timeout=30000, number of retries =3, #bytes=164
    KDCCommunication: kdc=dc1w.contoso.local UDP:88, timeout=30000,Attempt =1, #bytes=164
    KrbKdcReq send: #bytes read=183
    KrbKdcReq send: #bytes read=183
    KDCRep: init() encoding tag is 126 req type is 11
    KRBError:
         sTime is Tue Apr 06 11:56:54 NZST 2010 1270511814000
         suSec is 686624
         error code is 25
         error Message is Additional pre-authentication required
         realm is CONTOSO.LOCAL
         sname is krbtgt/CONTOSO.LOCAL
         eData provided.
         msgType is 30
    Pre-Authentication Data:
         PA-DATA type = 11
         PA-ETYPE-INFO etype = 23
    Pre-Authentication Data:
         PA-DATA type = 19
         PA-ETYPE-INFO2 etype = 23
    Pre-Authentication Data:
         PA-DATA type = 2
         PA-ENC-TIMESTAMP
    Pre-Authentication Data:
         PA-DATA type = 16
    Pre-Authentication Data:
         PA-DATA type = 15
AcquireTGT: PREAUTH FAILED/REQUIRED, re-send AS-REQ
    KrbAsReq salt is CONTOSO.LOCALHTTPopenssohost.contoso.local
Pre-Authenticaton: find key for etype = 23
AS-REQ: Add PA_ENC_TIMESTAMP now
     EType: sun.security.krb5.internal.crypto.ArcFourHmacEType
     KrbAsReq calling createMessage
     KrbAsReq in createMessage
     KrbKdcReq send: kdc=dc1w.contoso.local UDP:88, timeout=30000, number of retries =3, #bytes=247
     KDCCommunication: kdc=dc1w.contoso.local UDP:88, timeout=30000,Attempt =1, #bytes=247
     KrbKdcReq send: #bytes read=98
     KrbKdcReq send: #bytes read=98
     KDCRep: init() encoding tag is 126 req type is 11
      KRBError:
         sTime is Tue Apr 06 11:56:54 NZST 2010 1270511814000
         suSec is 811624
         error code is 52
         error Message is Response too big for UDP, retry with TCP
         realm is CONTOSO.LOCAL
         sname is krbtgt/CONTOSO.LOCAL
         msgType is 30
     KrbKdcReq send: kdc=dc1w.contoso.local TCP:88, timeout=30000, number of retries =3, #bytes=247
     DEBUG: TCPClient reading 1472 bytes
     KrbKdcReq send: #bytes read=1472
     KrbKdcReq send: #bytes read=1472
     EType: sun.security.krb5.internal.crypto.ArcFourHmacEType
     KrbAsRep cons in KrbAsReq.getReply HTTP/openssohost.contoso.local
Service Subject:HTTP/openssohost.contoso.local@CONTOSO.LOCAL
Entered SpNegoContext.acceptSecContext with state=STATE_NEW
SpNegoContext.acceptSecContext: receiving token = a0 82..
SpNegoToken NegTokenInit: reading Mechanism Oid = 1.2.840.48018.1.2.2
SpNegoToken NegTokenInit: reading Mechanism Oid = 1.2.840.113554.1.2.2
SpNegoToken NegTokenInit: reading Mechanism Oid = 1.3.6.1.4.1.311.2.2.30
SpNegoToken NegTokenInit: reading Mechanism Oid = 1.3.6.1.4.1.311.2.2.10
SpNegoToken NegTokenInit: reading Mech Token
SpNegoToken NegTokenInit : no MIC token included
SpNegoContext.acceptSecContext: received token of type = SPNEGO NegTokenInit
SpNegoContext: negotiated mechanism = 1.2.840.113554.1.2.2
Found key for HTTP/openssohost.contoso.local@CONTOSO.LOCAL(23)
Entered Krb5Context.acceptSecContext with state=STATE_NEW
java.security.PrivilegedActionException: GSSException: Failure unspecified at GSS-API level (Mechanism level: Invalid argument (400) - Cannot find key of appropriate type to decrypt AP REP - AES256 CTS mode with HMAC SHA1-96)
        at java.security.AccessController.doPrivileged(Native Method)
        at javax.security.auth.Subject.doAs(Subject.java:396)
        at kerberostest.Main.doSubjectCall(Main.java:54)
        at kerberostest.Main.main(Main.java:44)
Caused by: GSSException: Failure unspecified at GSS-API level (Mechanism level: Invalid argument (400) - Cannot find key of appropriate type to decrypt AP REP - AES256 CTS mode with HMAC SHA1-96)
        at sun.security.jgss.krb5.Krb5Context.acceptSecContext(Krb5Context.java:741)
        at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:323)
        at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:267)
        at sun.security.jgss.spnego.SpNegoContext.GSS_acceptSecContext(SpNegoContext.java:874)
        at sun.security.jgss.spnego.SpNegoContext.acceptSecContext(SpNegoContext.java:541)
        at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:323)
        at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:267)
        at kerberostest.Main$1.run(Main.java:58)
Caused by: KrbException: Invalid argument (400) - Cannot find key of appropriate type to decrypt AP REP - AES256 CTS mode with HMAC SHA1-96
        at sun.security.krb5.KrbApReq.authenticate(KrbApReq.java:262)
        at sun.security.krb5.KrbApReq.<init>(KrbApReq.java:134)
        at sun.security.jgss.krb5.InitSecContextToken.<init>(InitSecContextToken.java:79)
        at sun.security.jgss.krb5.Krb5Context.acceptSecContext(Krb5Context.java:724)
  • 1. Re: "Cannot find key of appropriate type to decrypt"  error again - W2k8
    843810 Newbie
    Currently Being Moderated
    Just an update on my original question in case it helps...

    If I switch to /crypto AES256-SHA1 in the ktpass command I get Checksum failed errors instead. Has anyone been able to make Java 1.6 Kerberos apps work with a Windows AD/KDC running on Windows Server 2008? If yes, what steps did you follow?

    Here are the results:
          KeyTabInputStream, readName(): CONTOSO.LOCAL
          KeyTabInputStream, readName(): HTTP
          KeyTabInputStream, readName(): OPENSSOHOST.contoso.local
          KeyTab: load() entry length: 95; type: 18
    Added key: 18version: 3
    Ordering keys wrt default_tkt_enctypes list
    default etypes for default_tkt_enctypes: 18 23 16 3 1.
    0: EncryptionKey: keyType=18 kvno=3 keyValue (hex dump)=
    0000: 32 A0 E6 1C 0E 2E AE 8F   2B C0 4A 28 29 84 91 3D  2.......+.J()..=
    0010: CC C6 49 B1 EF 18 28 DA   22 A9 4D 8B D0 36 47 AE  ..I...(.".M..6G.
    
    
    default etypes for default_tkt_enctypes: 18 23 16 3 1.
          KrbAsReq calling createMessage
          KrbAsReq in createMessage
          KrbKdcReq send: kdc=dc1w.contoso.local UDP:88, timeout=30000, number of retries =3, #bytes=164
          KDCCommunication: kdc=dc1w.contoso.local UDP:88, timeout=30000,Attempt =1, #bytes=164
          KrbKdcReq send: #bytes read=205
          KrbKdcReq send: #bytes read=205
          KDCRep: init() encoding tag is 126 req type is 11
         KRBError:
             sTime is Tue Apr 06 10:51:04 NZST 2010 1270507864000
             suSec is 47253
             error code is 25
             error Message is Additional pre-authentication required
             realm is CONTOSO.LOCAL
             sname is krbtgt/CONTOSO.LOCAL
             eData provided.
             msgType is 30
         Pre-Authentication Data:
             PA-DATA type = 19
             PA-ETYPE-INFO2 etype = 18
         Pre-Authentication Data:
             PA-DATA type = 2
             PA-ENC-TIMESTAMP
         Pre-Authentication Data:
             PA-DATA type = 16
         Pre-Authentication Data:
             PA-DATA type = 15
    AcquireTGT: PREAUTH FAILED/REQUIRED, re-send AS-REQ
    Updated salt from pre-auth = CONTOSO.LOCALHTTPOPENSSOHOST.contoso.local
         KrbAsReq salt is CONTOSO.LOCALHTTPOPENSSOHOST.contoso.local
    Pre-Authenticaton: find key for etype = 18
    AS-REQ: Add PA_ENC_TIMESTAMP now
          EType: sun.security.krb5.internal.crypto.Aes256CtsHmacSha1EType
          KrbAsReq calling createMessage
          KrbAsReq in createMessage
          KrbKdcReq send: kdc=dc1w.contoso.local UDP:88, timeout=30000, number of retries =3, #bytes=251
          KDCCommunication: kdc=dc1w.contoso.local UDP:88, timeout=30000,Attempt =1, #bytes=251
          KrbKdcReq send: #bytes read=98
          KrbKdcReq send: #bytes read=98
          KDCRep: init() encoding tag is 126 req type is 11
         KRBError:
             sTime is Tue Apr 06 10:51:04 NZST 2010 1270507864000
             suSec is 203503
             error code is 52
             error Message is Response too big for UDP, retry with TCP
             realm is CONTOSO.LOCAL
             sname is krbtgt/CONTOSO.LOCAL
             msgType is 30
          KrbKdcReq send: kdc=dc1w.contoso.local TCP:88, timeout=30000, number of retries =3, #bytes=251
         DEBUG: TCPClient reading 1581 bytes
          KrbKdcReq send: #bytes read=1581
          KrbKdcReq send: #bytes read=1581
          EType: sun.security.krb5.internal.crypto.Aes256CtsHmacSha1EType
          KrbAsRep cons in KrbAsReq.getReply HTTP/openssohost.contoso.local
    Service Subject:HTTP/openssohost.contoso.local@CONTOSO.LOCAL
    Entered SpNegoContext.acceptSecContext with state=STATE_NEW
    SpNegoContext.acceptSecContext: receiving token = a0 82 06 2d 30 82 06 29 a0.....
    5f a3 6e 04 01 
    Checksum failed !
    SpNegoToken NegTokenInit: reading Mechanism Oid = 1.2.840.48018.1.2.2
    SpNegoToken NegTokenInit: reading Mechanism Oid = 1.2.840.113554.1.2.2
    SpNegoToken NegTokenInit: reading Mechanism Oid = 1.3.6.1.4.1.311.2.2.30
    SpNegoToken NegTokenInit: reading Mechanism Oid = 1.3.6.1.4.1.311.2.2.10
    SpNegoToken NegTokenInit: reading Mech Token
    SpNegoToken NegTokenInit : no MIC token included
    SpNegoContext.acceptSecContext: received token of type = SPNEGO NegTokenInit
    SpNegoContext: negotiated mechanism = 1.2.840.113554.1.2.2
    Found key for HTTP/openssohost.contoso.local@CONTOSO.LOCAL(18)
    Entered Krb5Context.acceptSecContext with state=STATE_NEW
          EType: sun.security.krb5.internal.crypto.Aes256CtsHmacSha1EType
    java.security.PrivilegedActionException: GSSException: Failure unspecified at GSS-API level (Mechanism level: Checksum failed)
            at java.security.AccessController.doPrivileged(Native Method)
            at javax.security.auth.Subject.doAs(Subject.java:396)
            at kerberostest.Main.doSubjectCall(Main.java:54)
            at kerberostest.Main.main(Main.java:44)
    Caused by: GSSException: Failure unspecified at GSS-API level (Mechanism level: Checksum failed)
            at sun.security.jgss.krb5.Krb5Context.acceptSecContext(Krb5Context.java:741)
            at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:323)
            at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:267)
            at sun.security.jgss.spnego.SpNegoContext.GSS_acceptSecContext(SpNegoContext.java:874)
            at sun.security.jgss.spnego.SpNegoContext.acceptSecContext(SpNegoContext.java:541)
            at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:323)
            at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:267)
            at kerberostest.Main$1.run(Main.java:58)
            ... 4 more
    Caused by: KrbException: Checksum failed
            at sun.security.krb5.internal.crypto.Aes256CtsHmacSha1EType.decrypt(Aes256CtsHmacSha1EType.java:85)
            at sun.security.krb5.internal.crypto.Aes256CtsHmacSha1EType.decrypt(Aes256CtsHmacSha1EType.java:77)
            at sun.security.krb5.EncryptedData.decrypt(EncryptedData.java:168)
            at sun.security.krb5.KrbApReq.authenticate(KrbApReq.java:267)
            at sun.security.krb5.KrbApReq.<init>(KrbApReq.java:134)
            at sun.security.jgss.krb5.InitSecContextToken.<init>(InitSecContextToken.java:79)
            at sun.security.jgss.krb5.Krb5Context.acceptSecContext(Krb5Context.java:724)
            ... 11 more
    Caused by: java.security.GeneralSecurityException: Checksum failed
            at sun.security.krb5.internal.crypto.dk.AesDkCrypto.decryptCTS(AesDkCrypto.java:431)
            at sun.security.krb5.internal.crypto.dk.AesDkCrypto.decrypt(AesDkCrypto.java:254)
            at sun.security.krb5.internal.crypto.Aes256.decrypt(Aes256.java:59)
            at sun.security.krb5.internal.crypto.Aes256CtsHmacSha1EType.decrypt(Aes256CtsHmacSha1EType.java:83)
            ... 17 more
    {code}
    
    
    Thanks
    
    Mark                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        
  • 2. Re: "Cannot find key of appropriate type to decrypt"  error again - W2k8
    843810 Newbie
    Currently Being Moderated
    hi mark,
    I have the same problem in my install, i'm triying an SSO using CAS Spnego and Kerberos, i'm using DES-CBC-MD5 crypto.
    this is my exception :
    [#|2010-04-16T10:15:14.506+0200|INFO|sun-appserver2.1|net.java.spnego.SpnegoServerAuthModule|_ThreadID=16;_ThreadName=httpSSLWorkerThread-38005-1;|jmac.gss_dialog_failed
    GSSException: Failure unspecified at GSS-API level (Mechanism level: Integrity check on decrypted field failed (31))
    at sun.security.jgss.krb5.Krb5Context.acceptSecContext(Krb5Context.java:741)
    at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:323)
    at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:267)
    at sun.security.jgss.spnego.SpNegoContext.GSS_acceptSecContext(SpNegoContext.java:874)
    at sun.security.jgss.spnego.SpNegoContext.acceptSecContext(SpNegoContext.java:541)
    at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:323)
    at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:267)
    at net.java.spnego.SpnegoServerAuthModule.validateRequest(SpnegoServerAuthModule.java:251)
    at com.sun.enterprise.security.jmac.config.GFServerConfigProvider$GFServerAuthContext.validateRequest(GFServerConfigProvider.java:1172)
    at com.sun.web.security.RealmAdapter.validate(RealmAdapter.java:1331)
    at com.sun.web.security.RealmAdapter.invokeAuthenticateDelegate(RealmAdapter.java:1213)
    at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:643)
    at org.apache.catalina.core.StandardPipeline.doInvoke(StandardPipeline.java:625)
    at org.apache.catalina.core.StandardPipeline.doChainInvoke(StandardPipeline.java:599)
    at com.sun.enterprise.web.WebPipeline.invoke(WebPipeline.java:92)
    at com.sun.enterprise.web.PESessionLockingStandardPipeline.invoke(PESessionLockingStandardPipeline.java:98)
    at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:222)
    at org.apache.catalina.core.StandardPipeline.doInvoke(StandardPipeline.java:648)
    at org.apache.catalina.core.StandardPipeline.doInvoke(StandardPipeline.java:593)
    at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:587)
    at org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:1096)
    at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:166)
    at org.apache.catalina.core.StandardPipeline.doInvoke(StandardPipeline.java:648)
    at org.apache.catalina.core.StandardPipeline.doInvoke(StandardPipeline.java:593)
    at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:587)
    at org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:1096)
    at org.apache.coyote.tomcat5.CoyoteAdapter.service(CoyoteAdapter.java:288)
    at com.sun.enterprise.web.connector.grizzly.DefaultProcessorTask.invokeAdapter(DefaultProcessorTask.java:647)
    at com.sun.enterprise.web.connector.grizzly.DefaultProcessorTask.doProcess(DefaultProcessorTask.java:579)
    at com.sun.enterprise.web.connector.grizzly.DefaultProcessorTask.process(DefaultProcessorTask.java:831)
    at com.sun.enterprise.web.connector.grizzly.DefaultReadTask.executeProcessorTask(DefaultReadTask.java:341)
    at com.sun.enterprise.web.connector.grizzly.ssl.SSLReadTask.process(SSLReadTask.java:440)
    at com.sun.enterprise.web.connector.grizzly.ssl.SSLReadTask.doTask(SSLReadTask.java:228)
    at com.sun.enterprise.web.connector.grizzly.TaskBase.run(TaskBase.java:265)
    at com.sun.enterprise.web.connector.grizzly.ssl.SSLWorkerThread.run(SSLWorkerThread.java:106)
    Caused by: KrbException: Integrity check on decrypted field failed (31)
    at sun.security.krb5.internal.crypto.DesCbcEType.decrypt(DesCbcEType.java:154)
    at sun.security.krb5.internal.crypto.DesCbcMd5EType.decrypt(DesCbcMd5EType.java:33)
    at sun.security.krb5.internal.crypto.DesCbcEType.decrypt(DesCbcEType.java:125)
    at sun.security.krb5.internal.crypto.DesCbcMd5EType.decrypt(DesCbcMd5EType.java:33)
    at sun.security.krb5.EncryptedData.decrypt(EncryptedData.java:168)
    at sun.security.krb5.KrbApReq.authenticate(KrbApReq.java:267)
    at sun.security.krb5.KrbApReq.<init>(KrbApReq.java:134)
    at sun.security.jgss.krb5.InitSecContextToken.<init>(InitSecContextToken.java:79)
    at sun.security.jgss.krb5.Krb5Context.acceptSecContext(Krb5Context.java:724)
    ... 34 more

    did you find an issue!!
    any help will be welcome
    thanks
  • 3. Re: "Cannot find key of appropriate type to decrypt"  error again - W2k8
    843810 Newbie
    Currently Being Moderated
    I guess OPENSSOHOST is a CNAME.

    You have to use the name of the computer to create the keytab instead of a DNS Record like OPENSSOHOST . Then it will work.
  • 4. Re: "Cannot find key of appropriate type to decrypt"  error again - W2k8
    843810 Newbie
    Currently Being Moderated
    Hi Markdr,

    You've received the "Cannot find key of appropriate type to decrypt".

    From the exceptions you've pasted into your first message we can see cause: "Invalid argument (400) - Cannot find key of appropriate type to decrypt AP REP - AES256 CTS mode with HMAC SHA1-96".

    Key type of this encryption is 18.

    Now in command line type: klist -e -k krb5.keytab
    and look for Key types. You should have encryption type 18.

    Here's full list of those codes: http://www.iana.org/assignments/kerberos-parameters/kerberos-parameters.xml. Key type is eType. Yours is aes256-cts-hmac-sha1-96

    If you don't have it, then use ktpass to generate correct keytab with correct encoding: aes256.

    Best regards & good luck,
    Kamil