Kerberos authentication failure (GSSAPI) due to lowercase Realm in generated ccache

[Byxs20]

Case-Sensitivity Issue in keycred-Generated ccache Files

I have identified a case-sensitivity issue in the ccache files generated by keycred. When using a ticket generated by keycred for Kerberos authentication (e.g., via evil-winrm), authentication fails with a GSSAPI error.

Upon investigation, the root cause appears to be that keycred saves the Service Principal Name (SPN) with a lowercase realm/domain, whereas other tools (like certipy) and Windows Kerberos expectations require it to be uppercase.

Comparison & Debugging
keycred output (Fails)

Service Principal: krbtgt/absolute.htb@ABSOLUTE.HTB (lowercase domain)

Result:

SpnegoError: Unspecified GSS failure. Minor code: Matching credential not found.

certipy output (Works)

Service Principal: krbtgt/ABSOLUTE.HTB@ABSOLUTE.HTB (uppercase domain)

Result:

Authentication successful.

klist Analysis

This output highlights the difference in klist -c where the service principal realm casing differs.

Error Comparison

Left side shows the GSS failure with the lowercase realm; right side shows successful authentication with uppercase.

Environment

Operating System: Kali Linux
Target: Windows Active Directory (HTB Absolute)
Authentication Method: Kerberos via evil-winrm -k

Expected Behavior

The ccache should be generated with the Service Principal realm in uppercase (e.g., krbtgt/REALM.LOCAL@REALM.LOCAL) to ensure compatibility with GSSAPI credential matching.

[rtpt-erikgeiser]

Thanks for your report. This issue stems from our adauth library so I re-created the same issue there (RedTeamPentesting/adauth#7). Of course, I'll leave this issue here open until the adauth fix is incorporated into keycred.

[rtpt-erikgeiser]

Just for clarification, I tested this with certipy and impacket smbclient.py and both accept either uppercase or lowercase domains in the SPN. Were you actually able to reproduce this issue with any other tool than evil-winrm-py?

[Byxs20]

I only tested with evil-winrm-py and did not try other tools, so I can't confirm whether the issue also affects them.

Perhaps this issue should be reported to evil-winrm-py instead.

[rtpt-erikgeiser]

I could fix this easily, but the issue why I'm asking is that I'm not sure if this is something that needs fixing in keycred or in evil-win-rm. I'm leaning to evil-win-rm not because I'm lazy but because there is a chance that another program may break because it expects it to be lowercase. keycred has to chose if it is supposed to be lower or upper but the programs that consume the tickets can chose to accept both with is way more elegant in my opinion.

[Byxs20]

Understood. No problem. Thank you for your reply!

[rtpt-erikgeiser]

I'll leave this issue open and we'll see how the maintainers of evil-winrm-py react. I'm sure we'll find a good solution in the end.

[Byxs20]

Certipy-ad works without requesting an ST, but keycred encounters a case-sensitivity issue. The workaround is to simply request an HTTP service ticket and then connect again.

KRB5CCNAME=WINRM_USER@absolute.htb.ccache faketime "$(get_dc_time $ip)" \
impacket-getST -k -no-pass -spn http/dc.absolute.htb absolute.htb/winrm_user

After obtaining the ticket, the connection works as expected.

[Byxs20]

This issue hasn’t been addressed for quite a while. I still recommend allowing the FQDN to be lowercase. I asked an AI about it, and it said that FQDNs should be entirely lowercase. Of course, I can’t guarantee that the information from the AI is correct, but lowercase FQDNs can connect normally.