Decrypt Integrity Check Failed

Error

When AD Bridge users attempt to login, they receive a standard password mismatch error preceded by a Kerberos error:

Nov 21 23:52:50 linux-hostname lsass: [LwKrb5InitializeUserLoginCredentials /builder/src-git/Platform/src/linux/lwadvapi/threaded/lwkrb5.c:1492] KRB5 Error code: -1765328353 (Message: Decrypt integrity check failed)

Nov 21 23:52:50 linux-hostname lsass: [lsass] Failed to authenticate user (name = 'domain\username') -> error = 40022, symbol = LW_ERROR_PASSWORD_MISMATCH, client pid = 8057

Cause

This error will prevent all domain users from logging into this host, but attempts made on working hosts will verify the password is not actually incorrect.

Resolution

Search for duplicate computer objects of the same name in Active Directory and remove any duplicates. Once the duplicate computer object is located, remove it and rejoin the affected computer to the domain.

To easily find duplicate SPN names, run the following command on a Windows domain controller:

  • Single Domain Environment:
    setspn -x
  • Environments with Multiple Trusted Domains:
    setspn -t * -t home -x