Decrypt Integrity Check Failed


When AD Bridge users attempt to log in, they receive a standard password mismatch error preceded by a Kerberos error:

Nov 21 23:52:50 linux-hostname lsass: [LwKrb5InitializeUserLoginCredentials /builder/src-git/Platform/src/linux/lwadvapi/threaded/lwkrb5.c:1492] KRB5 Error code: -1765328353 (Message: Decrypt integrity check failed)

Nov 21 23:52:50 linux-hostname lsass: [lsass] Failed to authenticate user (name = 'domain\username') -> error = 40022, symbol = LW_ERROR_PASSWORD_MISMATCH, client pid = 8057


This error will prevent all domain users from logging into this host, but attempts made on working hosts will verify the password is not actually incorrect.


Search for duplicate computer objects of the same name in Active Directory and remove any duplicates. Once the duplicate computer object is located, remove it and rejoin the affected computer to the domain.

To easily find duplicate SPN names, run the following command on a Windows domain controller:

  • Single Domain Environment:
    setspn -x
  • Environments with Multiple Trusted Domains:
    setspn -t * -t home -x