Brief description

Hello,

I'm encountering an issue when trying to request a Kerberos TGT using ticketer with the armor_with parameter set, in an environment where Kerberos armoring (FAST) is enabled.
The TGT request fails systematically with KDC_ERR_POLICY.

I have reproduced the issue in production and in two separate lab environments, all configured with armoring enabled on the KDC side.

Scapy version

2.6.1.dev113

Python version

Python 3.11.11

Operating system

Ubuntu

Additional environment information

No response

How to reproduce

Hello,

I'm encountering an issue when trying to request a Kerberos TGT using ticketer with the armor_with parameter set, in an environment where Kerberos armoring (FAST) is enabled.
The TGT request fails systematically with KDC_ERR_POLICY.

I have reproduced the issue in:

• a production environment
• two separate lab environments

Here is the output of the test:

>>> load_module("ticketer")
>>> t = Ticketer()
>>> t.request_tgt("DC$@test.fr", key=Key(EncryptionType.AES256_CTS_HMAC_SHA1_96, bytes.fromhex("38c772db85ab9e723ebfb4359b2390779b657aff4141c17ecfe47a6acc9d3abe")))
>>> t.show()
CCache tickets:
0. DC$@TEST.FR -> krbtgt/TEST.FR@TEST.FR
 canonicalize+pre-authent+initial+renewable+forwardable
Start time End time Renew until Auth time 
21/07/25 17:05:02 22/07/25 03:04:55 22/07/25 03:04:55 21/07/25 17:05:02
>>> t.request_tgt("T0_QCS@test.fr", key=Key(EncryptionType.AES256_CTS_HMAC_SHA1_96, bytes.fromhex("73598779d8cff69c6ee215d57cba2df538706f18c847d8a4eb8de7a69e653a74")), armor_with=0)
ERROR: Received KRB_ERROR
###[ Kerberos ]###
 \root \
 |###[ KRB_ERROR ]###
 | pvno = 0x5 <ASN1_INTEGER[5]>
 | msgType = 'KRB-ERROR' 0x1e <ASN1_INTEGER[30]>
 | ctime = None
 | cusec = None
 | stime = 2025年07月21日 14:53:14 UTC <ASN1_GENERALIZED_TIME['20250721145314Z']>
 | susec = 0x7de5b <ASN1_INTEGER[515675]>
 | errorCode = 'KDC_ERR_POLICY' 0xc <ASN1_INTEGER[12]>
 | crealm = None
 | cname = None
 | realm = <ASN1_GENERAL_STRING[b'TEST.FR']>
 | \sname \
 | |###[ PrincipalName ]###
 | | nameType = 'NT-SRV-INST' 0x2 <ASN1_INTEGER[2]>
 | | nameString= [<ASN1_GENERAL_STRING[b'krbtgt']>, <ASN1_GENERAL_STRING[b'test.fr']>]
 | eText = None
 | eData = None

The same operation works perfectly when not using armoring, so the issue seems specific to the FAST mechanism.

Let me know if I can provide further details or perform additional tests.

Thanks for your work on this project! 👍

Actual result

The TGT request should succeed and return a valid ticket when using armor_with=0, assuming the key is valid and armoring is supported by the KDC.

Expected result

The TGT request using armor_with=0 should succeed when Kerberos armoring is enabled on the domain controller, as long as the provided credentials and keys are valid. The expected behavior is for the KDC to return a valid TGT, not a KDC_ERR_POLICY.

Related resources

PS > whoami /claims

USER CLAIMS INFORMATION

Claim Name Claim ID Flags Type Values
==================== =========================== ===== ====== =========
"AuthenticationSilo" ad://ext/AuthenticationSilo String "T0_SILO"