The MS-S4U documentation specifies that hmac-md5 be used for
PA-FOR-USER checksums; we were using the mandatory checksum type for
the key.  Although some other checksum types appear to be allowed by
Active Directory KDCs, Richard Silverman reports that md5-des is not
one of them, causing S4U2Self requests to fail for DES keys.


https://github.com/krb5/krb5/commit/582eacef47c1a9c9386bf588978125322ac6b970
Commit By: ghudson
Revision: 24929
Changed Files:
U   trunk/src/lib/krb5/krb/s4u_creds.c