Kerberos conversion failures usually come from the wrong format, wrong SPN, stale lifetime, DNS/KDC mismatch, clock skew, or a bad KRB5CCNAME path. We troubleshoot the ticket before changing the attack path.
Verify a Linux cache:
export KRB5CCNAME=FILE:$(pwd)/ticket.ccache
klist -e
Destroy the current Linux cache:
kdestroy
unset KRB5CCNAME
Purge Windows tickets:
klist purge
.\Rubeus.exe purge
Remove ticket files:
rm -f *.ccache *.kirbi *.b64
Common failures:
KDC_ERR_S_PRINCIPAL_UNKNOWN -> wrong SPN or wrong hostname
KRB_AP_ERR_TKT_EXPIRED -> ticket expired
KRB_AP_ERR_SKEW -> clock skew
KRB_AP_ERR_MODIFIED -> service cannot decrypt ticket; wrong service key or SPN
No credentials cache found -> KRB5CCNAME points to nothing
Server not found in Kerberos database -> DNS or SPN mismatch
Fix clock skew:
sudo ntpdate -u dc01.ootw.local
Use absolute cache paths:
export KRB5CCNAME=FILE:/home/kali/tickets/student.ccache
klist
Check the ticket service before using it:
klist -e
Check Kerberos DNS:
nslookup -type=SRV _kerberos._tcp.ootw.local
nslookup -type=SRV _ldap._tcp.dc._msdcs.ootw.local
Keep tickets short-lived in lab notes and remove them when finished. Treat .kirbi, .ccache, .keytab, .pfx, and base64 ticket blobs as credentials.