Microsoft KB Archive Search

Notice: This website is an unofficial Microsoft Knowledge Base (hereinafter KB) archive and is intended to provide a reliable access to deleted content from Microsoft KB. All KB articles are owned by Microsoft Corporation. Read full disclaimer for more details.

  1. Home
  2. KRB_AP_ERR_BAD_INTEGRITY error when server tries to delegate in mixed Read-Only DC and Windows Server 2003 DC environment

KRB_AP_ERR_BAD_INTEGRITY error when server tries to delegate in mixed Read-Only DC and Windows Server 2003 DC environment

Symptoms

In a scenario where you are trying to perform Kerberos delegation from a middle-tier server to a back-end server, in an environment where Read-Only Domain Controllers (RODCs) exist with Windows Server 2003 Domain Controllers, delegation may fail.

Consider the following scenario:

  1. You have deployed Windows Server 2008 or later Read-Only Domain Controllers (RODCs).
  2. You have Windows Server 2003 Domain Controllers in the same domain as your RODCs.
  3. You have configured Kerberos delegation from a middle-tier server to a back-end server.

In this scenario Kerberos delegation may fail with error KRB_AP_ERR_BAD_INTEGRITY.

↑ Back to the top

Cause

In the above scenario, if the client receives a ticket for the middle-tier server from the RODC, the ticket will be protected with a krbtgt account that is specific to the branch the RODC is a member of. The branch specific krbtgt account was introduced in Windows Server 2008 for the use of RODCs. The client will provide that ticket to the middle-tier server for authentication. When the middle-tier server decides it needs to impersonate the client to access the back-end server, it will make a ticket request for the back-end server supplying the forwarded ticket the client provided. If the middle-tier server requests the ticket from a Windows Server 2003 Kerberos Key Distribution Center (KDC), the Windows Server 2003 KDC will fail to decrypt the ticket. This is because the Windows Server 2003 KDC tries to use the standard krbtgt account to decrypt the ticket though the ticket was protected using the branch specific krbtgt account. Since Windows Server 2003 has no knowledge of the use of the branch specific krbtgt account it will fail the request. 

Windows Server 2008 or later DCs support detecting which krbtgt account was used and will decrypt the ticket using the appropriate keys.

↑ Back to the top

Resolution

To resolve this issue, choose one of the following options:

  • Upgrade your Windows Server 2003 DCs to Windows Server 2008 or later
  • Configure the environment so that the servers who will be performing delegation will prefer Windows Server 2008 or later DCs when locating a KDC. This can be done through Active Directory site topology and costs, see Overview of Active Directory Sites and Services(http://technet.microsoft.com/en-us/library/cc731907(WS.10).aspx

↑ Back to the top

More Information

For more information about RODCs, see the Read-Only Domain Controller (RODC) Planning and Deployment Guide (http://go.microsoft.com/fwlink/?LinkID=135993).

↑ Back to the top

Keywords: kb

↑ Back to the top

Article Info
Article ID : 2360265
Revision : 1
Created on : 1/7/2017
Published on : 8/23/2010
Exists online : False
Views : 152