Error decrypting encpart of service ticket

[keith6014]

Golang 1.17
gokrb5 8.4.3

On the domain controller I have

setspn -Q HTTP/server.fqdn.edu
   HTTP/server.fqdn.edu
   HTTP/server

How I created the keytab:

• Hashes: rc4-hmac arcfour-hmac aes256-cts
• SPN Name,KVNO: HTTP/server.fqdn.edu,3

I am sure the password is correct because I also do kinit -kt keytab user@fqdn.edu and it authenticates fine

How I test:

curl --negotiate -u : http://server.fqdn.edu:8080/test

The error I keep getting is:

SPNEGO validation error: defective token detected: [Root cause: Decrypting_Error] Decrypting_Error: error decrypting encpart of service ticket provided: e
rror decrypting Ticket EncPart: error decrypting: integrity verification failed

ktutil
  rkt keytab
  list -e

slot   KVNO   Principal
____   ____   ______________________________________
1       3       HTTP/server.fqdn.edu  (arcfour-hmac)    
2       3       serviceaccount@FQDN   (arcfour-hmac)                   
... (for other encryption keys also)

Not sure where else to look

[keith6014]

@jcmturner
any ideas on how I can troubleshoot this?

The odd thing is, I run my process on another server and it works.

[glacuesta-sa]

I got that error recently, and it was due expecting encryption type to be RC4 and is using AES256, or vice-versa.
I'd suggest playing with encryption types at the domain controller, disabling or enabling these two.

[jcmturner]

What is in the client's krb5.conf? It may be best to specify the enc type with default_tkt_enctypes