4 Replies Latest reply: Jul 22, 2010 6:32 AM by 843810 RSS

    "Cannot find key of appropriate type to decrypt"  error again - W2k8

    843810
      Getting "Cannot find key of appropriate type to decrypt AP REP - AES256 CTS mode with HMAC SHA1-96" when working with a Java (using JDK 1.6.0_18) application that is mimicking what is happening within OpenSSO's WindowsSSO module (where the problem started). I have searched the forum and whilst there are similar questions, none of the solutions fit. I have tried a lot of different permutations of the ktpass command and most lead back to here. When using the /crypto ALL param in ktpass the problem switches to checksum errors.

      The keytab file was generated using the following parameters:
      ktpass /mapuser OPENSSOHOST@CONTOSO.LOCAL /out c:\temp\openssohost.HTTP.keytab /princ HTTP/OPENSSOHOST.contoso.local@CONTOSO.LOCAL /ptype KRB5_NT_PRINCIPAL /pass Passw0rd
      Targeting domain controller: DC1W.contoso.local
      Using legacy password setting method
      Successfully mapped HTTP/OPENSSOHOST.contoso.local to openssohost.
      Key created.
      Output keytab to c:\temp\openssohost.HTTP.keytab:
      Keytab version: 0x502
      keysize 79 HTTP/OPENSSOHOST.contoso.local@CONTOSO.LOCAL ptype 1 (KRB5_NT_PRINCIPAL) vno 3 etype 0x17 (RC4-HMAC) keylength 16 0xa87f3a337d73085c45f9416be5787d86)
      I created a standalone application to save me time when trying different permutations of keytab file generation using different ktpass parameters. The Java app is running against a Windows 2008 Server SP2 AD/KDC. Here is the exception/debug output from the application using the -Dsun.security.spnego.debug=true and -Dsun.security.krb5.debug=true flags:
      Config name: C:\Windows\krb5.ini
           KeyTabInputStream, readName(): CONTOSO.LOCAL
           KeyTabInputStream, readName(): HTTP
           KeyTabInputStream, readName(): OPENSSOHOST.contoso.local
           KeyTab: load() entry length: 79; type: 23
      Added key: 23version: 3
      Ordering keys wrt default_tkt_enctypes list
      Using builtin default etypes for default_tkt_enctypes
      default etypes for default_tkt_enctypes: 3 1 23 16 17 18.
      Using builtin default etypes for default_tkt_enctypes
      default etypes for default_tkt_enctypes: 3 1 23 16 17 18.
          KrbAsReq calling createMessage
          KrbAsReq in createMessage
          KrbKdcReq send: kdc=dc1w.contoso.local UDP:88, timeout=30000, number of retries =3, #bytes=164
          KDCCommunication: kdc=dc1w.contoso.local UDP:88, timeout=30000,Attempt =1, #bytes=164
          KrbKdcReq send: #bytes read=183
          KrbKdcReq send: #bytes read=183
          KDCRep: init() encoding tag is 126 req type is 11
          KRBError:
               sTime is Tue Apr 06 11:56:54 NZST 2010 1270511814000
               suSec is 686624
               error code is 25
               error Message is Additional pre-authentication required
               realm is CONTOSO.LOCAL
               sname is krbtgt/CONTOSO.LOCAL
               eData provided.
               msgType is 30
          Pre-Authentication Data:
               PA-DATA type = 11
               PA-ETYPE-INFO etype = 23
          Pre-Authentication Data:
               PA-DATA type = 19
               PA-ETYPE-INFO2 etype = 23
          Pre-Authentication Data:
               PA-DATA type = 2
               PA-ENC-TIMESTAMP
          Pre-Authentication Data:
               PA-DATA type = 16
          Pre-Authentication Data:
               PA-DATA type = 15
      AcquireTGT: PREAUTH FAILED/REQUIRED, re-send AS-REQ
          KrbAsReq salt is CONTOSO.LOCALHTTPopenssohost.contoso.local
      Pre-Authenticaton: find key for etype = 23
      AS-REQ: Add PA_ENC_TIMESTAMP now
           EType: sun.security.krb5.internal.crypto.ArcFourHmacEType
           KrbAsReq calling createMessage
           KrbAsReq in createMessage
           KrbKdcReq send: kdc=dc1w.contoso.local UDP:88, timeout=30000, number of retries =3, #bytes=247
           KDCCommunication: kdc=dc1w.contoso.local UDP:88, timeout=30000,Attempt =1, #bytes=247
           KrbKdcReq send: #bytes read=98
           KrbKdcReq send: #bytes read=98
           KDCRep: init() encoding tag is 126 req type is 11
            KRBError:
               sTime is Tue Apr 06 11:56:54 NZST 2010 1270511814000
               suSec is 811624
               error code is 52
               error Message is Response too big for UDP, retry with TCP
               realm is CONTOSO.LOCAL
               sname is krbtgt/CONTOSO.LOCAL
               msgType is 30
           KrbKdcReq send: kdc=dc1w.contoso.local TCP:88, timeout=30000, number of retries =3, #bytes=247
           DEBUG: TCPClient reading 1472 bytes
           KrbKdcReq send: #bytes read=1472
           KrbKdcReq send: #bytes read=1472
           EType: sun.security.krb5.internal.crypto.ArcFourHmacEType
           KrbAsRep cons in KrbAsReq.getReply HTTP/openssohost.contoso.local
      Service Subject:HTTP/openssohost.contoso.local@CONTOSO.LOCAL
      Entered SpNegoContext.acceptSecContext with state=STATE_NEW
      SpNegoContext.acceptSecContext: receiving token = a0 82..
      SpNegoToken NegTokenInit: reading Mechanism Oid = 1.2.840.48018.1.2.2
      SpNegoToken NegTokenInit: reading Mechanism Oid = 1.2.840.113554.1.2.2
      SpNegoToken NegTokenInit: reading Mechanism Oid = 1.3.6.1.4.1.311.2.2.30
      SpNegoToken NegTokenInit: reading Mechanism Oid = 1.3.6.1.4.1.311.2.2.10
      SpNegoToken NegTokenInit: reading Mech Token
      SpNegoToken NegTokenInit : no MIC token included
      SpNegoContext.acceptSecContext: received token of type = SPNEGO NegTokenInit
      SpNegoContext: negotiated mechanism = 1.2.840.113554.1.2.2
      Found key for HTTP/openssohost.contoso.local@CONTOSO.LOCAL(23)
      Entered Krb5Context.acceptSecContext with state=STATE_NEW
      java.security.PrivilegedActionException: GSSException: Failure unspecified at GSS-API level (Mechanism level: Invalid argument (400) - Cannot find key of appropriate type to decrypt AP REP - AES256 CTS mode with HMAC SHA1-96)
              at java.security.AccessController.doPrivileged(Native Method)
              at javax.security.auth.Subject.doAs(Subject.java:396)
              at kerberostest.Main.doSubjectCall(Main.java:54)
              at kerberostest.Main.main(Main.java:44)
      Caused by: GSSException: Failure unspecified at GSS-API level (Mechanism level: Invalid argument (400) - Cannot find key of appropriate type to decrypt AP REP - AES256 CTS mode with HMAC SHA1-96)
              at sun.security.jgss.krb5.Krb5Context.acceptSecContext(Krb5Context.java:741)
              at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:323)
              at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:267)
              at sun.security.jgss.spnego.SpNegoContext.GSS_acceptSecContext(SpNegoContext.java:874)
              at sun.security.jgss.spnego.SpNegoContext.acceptSecContext(SpNegoContext.java:541)
              at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:323)
              at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:267)
              at kerberostest.Main$1.run(Main.java:58)
      Caused by: KrbException: Invalid argument (400) - Cannot find key of appropriate type to decrypt AP REP - AES256 CTS mode with HMAC SHA1-96
              at sun.security.krb5.KrbApReq.authenticate(KrbApReq.java:262)
              at sun.security.krb5.KrbApReq.<init>(KrbApReq.java:134)
              at sun.security.jgss.krb5.InitSecContextToken.<init>(InitSecContextToken.java:79)
              at sun.security.jgss.krb5.Krb5Context.acceptSecContext(Krb5Context.java:724)
        • 1. Re: "Cannot find key of appropriate type to decrypt"  error again - W2k8
          843810
          Just an update on my original question in case it helps...

          If I switch to /crypto AES256-SHA1 in the ktpass command I get Checksum failed errors instead. Has anyone been able to make Java 1.6 Kerberos apps work with a Windows AD/KDC running on Windows Server 2008? If yes, what steps did you follow?

          Here are the results:
                KeyTabInputStream, readName(): CONTOSO.LOCAL
                KeyTabInputStream, readName(): HTTP
                KeyTabInputStream, readName(): OPENSSOHOST.contoso.local
                KeyTab: load() entry length: 95; type: 18
          Added key: 18version: 3
          Ordering keys wrt default_tkt_enctypes list
          default etypes for default_tkt_enctypes: 18 23 16 3 1.
          0: EncryptionKey: keyType=18 kvno=3 keyValue (hex dump)=
          0000: 32 A0 E6 1C 0E 2E AE 8F   2B C0 4A 28 29 84 91 3D  2.......+.J()..=
          0010: CC C6 49 B1 EF 18 28 DA   22 A9 4D 8B D0 36 47 AE  ..I...(.".M..6G.
          
          
          default etypes for default_tkt_enctypes: 18 23 16 3 1.
                KrbAsReq calling createMessage
                KrbAsReq in createMessage
                KrbKdcReq send: kdc=dc1w.contoso.local UDP:88, timeout=30000, number of retries =3, #bytes=164
                KDCCommunication: kdc=dc1w.contoso.local UDP:88, timeout=30000,Attempt =1, #bytes=164
                KrbKdcReq send: #bytes read=205
                KrbKdcReq send: #bytes read=205
                KDCRep: init() encoding tag is 126 req type is 11
               KRBError:
                   sTime is Tue Apr 06 10:51:04 NZST 2010 1270507864000
                   suSec is 47253
                   error code is 25
                   error Message is Additional pre-authentication required
                   realm is CONTOSO.LOCAL
                   sname is krbtgt/CONTOSO.LOCAL
                   eData provided.
                   msgType is 30
               Pre-Authentication Data:
                   PA-DATA type = 19
                   PA-ETYPE-INFO2 etype = 18
               Pre-Authentication Data:
                   PA-DATA type = 2
                   PA-ENC-TIMESTAMP
               Pre-Authentication Data:
                   PA-DATA type = 16
               Pre-Authentication Data:
                   PA-DATA type = 15
          AcquireTGT: PREAUTH FAILED/REQUIRED, re-send AS-REQ
          Updated salt from pre-auth = CONTOSO.LOCALHTTPOPENSSOHOST.contoso.local
               KrbAsReq salt is CONTOSO.LOCALHTTPOPENSSOHOST.contoso.local
          Pre-Authenticaton: find key for etype = 18
          AS-REQ: Add PA_ENC_TIMESTAMP now
                EType: sun.security.krb5.internal.crypto.Aes256CtsHmacSha1EType
                KrbAsReq calling createMessage
                KrbAsReq in createMessage
                KrbKdcReq send: kdc=dc1w.contoso.local UDP:88, timeout=30000, number of retries =3, #bytes=251
                KDCCommunication: kdc=dc1w.contoso.local UDP:88, timeout=30000,Attempt =1, #bytes=251
                KrbKdcReq send: #bytes read=98
                KrbKdcReq send: #bytes read=98
                KDCRep: init() encoding tag is 126 req type is 11
               KRBError:
                   sTime is Tue Apr 06 10:51:04 NZST 2010 1270507864000
                   suSec is 203503
                   error code is 52
                   error Message is Response too big for UDP, retry with TCP
                   realm is CONTOSO.LOCAL
                   sname is krbtgt/CONTOSO.LOCAL
                   msgType is 30
                KrbKdcReq send: kdc=dc1w.contoso.local TCP:88, timeout=30000, number of retries =3, #bytes=251
               DEBUG: TCPClient reading 1581 bytes
                KrbKdcReq send: #bytes read=1581
                KrbKdcReq send: #bytes read=1581
                EType: sun.security.krb5.internal.crypto.Aes256CtsHmacSha1EType
                KrbAsRep cons in KrbAsReq.getReply HTTP/openssohost.contoso.local
          Service Subject:HTTP/openssohost.contoso.local@CONTOSO.LOCAL
          Entered SpNegoContext.acceptSecContext with state=STATE_NEW
          SpNegoContext.acceptSecContext: receiving token = a0 82 06 2d 30 82 06 29 a0.....
          5f a3 6e 04 01 
          Checksum failed !
          SpNegoToken NegTokenInit: reading Mechanism Oid = 1.2.840.48018.1.2.2
          SpNegoToken NegTokenInit: reading Mechanism Oid = 1.2.840.113554.1.2.2
          SpNegoToken NegTokenInit: reading Mechanism Oid = 1.3.6.1.4.1.311.2.2.30
          SpNegoToken NegTokenInit: reading Mechanism Oid = 1.3.6.1.4.1.311.2.2.10
          SpNegoToken NegTokenInit: reading Mech Token
          SpNegoToken NegTokenInit : no MIC token included
          SpNegoContext.acceptSecContext: received token of type = SPNEGO NegTokenInit
          SpNegoContext: negotiated mechanism = 1.2.840.113554.1.2.2
          Found key for HTTP/openssohost.contoso.local@CONTOSO.LOCAL(18)
          Entered Krb5Context.acceptSecContext with state=STATE_NEW
                EType: sun.security.krb5.internal.crypto.Aes256CtsHmacSha1EType
          java.security.PrivilegedActionException: GSSException: Failure unspecified at GSS-API level (Mechanism level: Checksum failed)
                  at java.security.AccessController.doPrivileged(Native Method)
                  at javax.security.auth.Subject.doAs(Subject.java:396)
                  at kerberostest.Main.doSubjectCall(Main.java:54)
                  at kerberostest.Main.main(Main.java:44)
          Caused by: GSSException: Failure unspecified at GSS-API level (Mechanism level: Checksum failed)
                  at sun.security.jgss.krb5.Krb5Context.acceptSecContext(Krb5Context.java:741)
                  at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:323)
                  at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:267)
                  at sun.security.jgss.spnego.SpNegoContext.GSS_acceptSecContext(SpNegoContext.java:874)
                  at sun.security.jgss.spnego.SpNegoContext.acceptSecContext(SpNegoContext.java:541)
                  at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:323)
                  at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:267)
                  at kerberostest.Main$1.run(Main.java:58)
                  ... 4 more
          Caused by: KrbException: Checksum failed
                  at sun.security.krb5.internal.crypto.Aes256CtsHmacSha1EType.decrypt(Aes256CtsHmacSha1EType.java:85)
                  at sun.security.krb5.internal.crypto.Aes256CtsHmacSha1EType.decrypt(Aes256CtsHmacSha1EType.java:77)
                  at sun.security.krb5.EncryptedData.decrypt(EncryptedData.java:168)
                  at sun.security.krb5.KrbApReq.authenticate(KrbApReq.java:267)
                  at sun.security.krb5.KrbApReq.<init>(KrbApReq.java:134)
                  at sun.security.jgss.krb5.InitSecContextToken.<init>(InitSecContextToken.java:79)
                  at sun.security.jgss.krb5.Krb5Context.acceptSecContext(Krb5Context.java:724)
                  ... 11 more
          Caused by: java.security.GeneralSecurityException: Checksum failed
                  at sun.security.krb5.internal.crypto.dk.AesDkCrypto.decryptCTS(AesDkCrypto.java:431)
                  at sun.security.krb5.internal.crypto.dk.AesDkCrypto.decrypt(AesDkCrypto.java:254)
                  at sun.security.krb5.internal.crypto.Aes256.decrypt(Aes256.java:59)
                  at sun.security.krb5.internal.crypto.Aes256CtsHmacSha1EType.decrypt(Aes256CtsHmacSha1EType.java:83)
                  ... 17 more
          {code}
          
          
          Thanks
          
          Mark                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        
          • 2. Re: "Cannot find key of appropriate type to decrypt"  error again - W2k8
            843810
            hi mark,
            I have the same problem in my install, i'm triying an SSO using CAS Spnego and Kerberos, i'm using DES-CBC-MD5 crypto.
            this is my exception :
            [#|2010-04-16T10:15:14.506+0200|INFO|sun-appserver2.1|net.java.spnego.SpnegoServerAuthModule|_ThreadID=16;_ThreadName=httpSSLWorkerThread-38005-1;|jmac.gss_dialog_failed
            GSSException: Failure unspecified at GSS-API level (Mechanism level: Integrity check on decrypted field failed (31))
            at sun.security.jgss.krb5.Krb5Context.acceptSecContext(Krb5Context.java:741)
            at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:323)
            at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:267)
            at sun.security.jgss.spnego.SpNegoContext.GSS_acceptSecContext(SpNegoContext.java:874)
            at sun.security.jgss.spnego.SpNegoContext.acceptSecContext(SpNegoContext.java:541)
            at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:323)
            at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:267)
            at net.java.spnego.SpnegoServerAuthModule.validateRequest(SpnegoServerAuthModule.java:251)
            at com.sun.enterprise.security.jmac.config.GFServerConfigProvider$GFServerAuthContext.validateRequest(GFServerConfigProvider.java:1172)
            at com.sun.web.security.RealmAdapter.validate(RealmAdapter.java:1331)
            at com.sun.web.security.RealmAdapter.invokeAuthenticateDelegate(RealmAdapter.java:1213)
            at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:643)
            at org.apache.catalina.core.StandardPipeline.doInvoke(StandardPipeline.java:625)
            at org.apache.catalina.core.StandardPipeline.doChainInvoke(StandardPipeline.java:599)
            at com.sun.enterprise.web.WebPipeline.invoke(WebPipeline.java:92)
            at com.sun.enterprise.web.PESessionLockingStandardPipeline.invoke(PESessionLockingStandardPipeline.java:98)
            at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:222)
            at org.apache.catalina.core.StandardPipeline.doInvoke(StandardPipeline.java:648)
            at org.apache.catalina.core.StandardPipeline.doInvoke(StandardPipeline.java:593)
            at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:587)
            at org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:1096)
            at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:166)
            at org.apache.catalina.core.StandardPipeline.doInvoke(StandardPipeline.java:648)
            at org.apache.catalina.core.StandardPipeline.doInvoke(StandardPipeline.java:593)
            at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:587)
            at org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:1096)
            at org.apache.coyote.tomcat5.CoyoteAdapter.service(CoyoteAdapter.java:288)
            at com.sun.enterprise.web.connector.grizzly.DefaultProcessorTask.invokeAdapter(DefaultProcessorTask.java:647)
            at com.sun.enterprise.web.connector.grizzly.DefaultProcessorTask.doProcess(DefaultProcessorTask.java:579)
            at com.sun.enterprise.web.connector.grizzly.DefaultProcessorTask.process(DefaultProcessorTask.java:831)
            at com.sun.enterprise.web.connector.grizzly.DefaultReadTask.executeProcessorTask(DefaultReadTask.java:341)
            at com.sun.enterprise.web.connector.grizzly.ssl.SSLReadTask.process(SSLReadTask.java:440)
            at com.sun.enterprise.web.connector.grizzly.ssl.SSLReadTask.doTask(SSLReadTask.java:228)
            at com.sun.enterprise.web.connector.grizzly.TaskBase.run(TaskBase.java:265)
            at com.sun.enterprise.web.connector.grizzly.ssl.SSLWorkerThread.run(SSLWorkerThread.java:106)
            Caused by: KrbException: Integrity check on decrypted field failed (31)
            at sun.security.krb5.internal.crypto.DesCbcEType.decrypt(DesCbcEType.java:154)
            at sun.security.krb5.internal.crypto.DesCbcMd5EType.decrypt(DesCbcMd5EType.java:33)
            at sun.security.krb5.internal.crypto.DesCbcEType.decrypt(DesCbcEType.java:125)
            at sun.security.krb5.internal.crypto.DesCbcMd5EType.decrypt(DesCbcMd5EType.java:33)
            at sun.security.krb5.EncryptedData.decrypt(EncryptedData.java:168)
            at sun.security.krb5.KrbApReq.authenticate(KrbApReq.java:267)
            at sun.security.krb5.KrbApReq.<init>(KrbApReq.java:134)
            at sun.security.jgss.krb5.InitSecContextToken.<init>(InitSecContextToken.java:79)
            at sun.security.jgss.krb5.Krb5Context.acceptSecContext(Krb5Context.java:724)
            ... 34 more

            did you find an issue!!
            any help will be welcome
            thanks
            • 3. Re: "Cannot find key of appropriate type to decrypt"  error again - W2k8
              843810
              I guess OPENSSOHOST is a CNAME.

              You have to use the name of the computer to create the keytab instead of a DNS Record like OPENSSOHOST . Then it will work.
              • 4. Re: "Cannot find key of appropriate type to decrypt"  error again - W2k8
                843810
                Hi Markdr,

                You've received the "Cannot find key of appropriate type to decrypt".

                From the exceptions you've pasted into your first message we can see cause: "Invalid argument (400) - Cannot find key of appropriate type to decrypt AP REP - AES256 CTS mode with HMAC SHA1-96".

                Key type of this encryption is 18.

                Now in command line type: klist -e -k krb5.keytab
                and look for Key types. You should have encryption type 18.

                Here's full list of those codes: http://www.iana.org/assignments/kerberos-parameters/kerberos-parameters.xml. Key type is eType. Yours is aes256-cts-hmac-sha1-96

                If you don't have it, then use ktpass to generate correct keytab with correct encoding: aes256.

                Best regards & good luck,
                Kamil