search for: recipientidentifier

...). I tried to compare Kerberos traffic examples from genuine domain controller and Samba's response and found at least one difference, which could be a cause of issue: Samba (in fact, Heimdal) generates PA-PK-AS-REP which violates RFC 3852 (cryptographic message syntax). RFC 3852 says: If the RecipientIdentifier is the CHOICE issuerAndSerialNumber, then the version MUST be 0. If the RecipientIdentifier is subjectKeyIdentifier, then the version MUST be 2. But Heimdal uses subjectKeyIdentifier in response and version number 0. MS uses issuerAndSerialNumber. I tried to force Heimdal use issuerAndSerialNu...