KRB_AP_ERR_BAD_INTEGRITY error when server tries to delegate in mixed Read-Only DC and Windows Server 2003 DC environment


In a scenario where you are trying to perform Kerberos delegation from a middle-tier server to a back-end server, in an environment where Read-Only Domain Controllers (RODCs) exist with Windows Server 2003 Domain Controllers, delegation may fail.

Consider the following scenario:

  1. You have deployed Windows Server 2008 or later Read-Only Domain Controllers (RODCs).
  2. You have Windows Server 2003 Domain Controllers in the same domain as your RODCs.
  3. You have configured Kerberos delegation from a middle-tier server to a back-end server.

In this scenario Kerberos delegation may fail with error KRB_AP_ERR_BAD_INTEGRITY.


In the above scenario, if the client receives a ticket for the middle-tier server from the RODC, the ticket will be protected with a krbtgt account that is specific to the branch the RODC is a member of. The branch specific krbtgt account was introduced in Windows Server 2008 for the use of RODCs. The client will provide that ticket to the middle-tier server for authentication. When the middle-tier server decides it needs to impersonate the client to access the back-end server, it will make a ticket request for the back-end server supplying the forwarded ticket the client provided. If the middle-tier server requests the ticket from a Windows Server 2003 Kerberos Key Distribution Center (KDC), the Windows Server 2003 KDC will fail to decrypt the ticket. This is because the Windows Server 2003 KDC tries to use the standard krbtgt account to decrypt the ticket though the ticket was protected using the branch specific krbtgt account. Since Windows Server 2003 has no knowledge of the use of the branch specific krbtgt account it will fail the request. 

Windows Server 2008 or later DCs support detecting which krbtgt account was used and will decrypt the ticket using the appropriate keys.


To resolve this issue, choose one of the following options:

  • Upgrade your Windows Server 2003 DCs to Windows Server 2008 or later
  • Configure the environment so that the servers who will be performing delegation will prefer Windows Server 2008 or later DCs when locating a KDC. This can be done through Active Directory site topology and costs, see Overview of Active Directory Sites and Services(

More Information

For more information about RODCs, see the Read-Only Domain Controller (RODC) Planning and Deployment Guide (