Kerberos Encryption differs for krbtgt and everything else

T

taniv

Hello Everyone,

in three Windows Server 2016 domain controlers, one domain, no trusts, enviroment, we are getting all tickets regarding krbtgt service encrypted RSADSI RC4-HMAC(NT) and all others AES-256-CTS-HMAC-SHA1-96. We'd like to go all AES256.

Any information about the isue will be appreciated.


klist run on DC1 (restored VM to test enviroment)

C:\Users\Administrator.MY-DOMAIN>klist

Current LogonId is 0:0x153e066

Cached Tickets: (4)

#0> Client: administrator @ MY-DOMAIN.ccTLD
Server: krbtgt/MY-DOMAIN.ccTLD @ MY-DOMAIN.ccTLD
KerbTicket Encryption Type: RSADSI RC4-HMAC(NT)
Ticket Flags 0x60a10000 -> forwardable forwarded renewable pre_authent name_canonicalize
Start Time: 10/14/2019 10:31:48 (local)
End Time: 10/14/2019 20:31:05 (local)
Renew Time: 10/21/2019 10:31:05 (local)
Session Key Type: AES-256-CTS-HMAC-SHA1-96
Cache Flags: 0x2 -> DELEGATION
Kdc Called: DC1

#1> Client: administrator @ MY-DOMAIN.ccTLD
Server: krbtgt/MY-DOMAIN.ccTLD @ MY-DOMAIN.ccTLD
KerbTicket Encryption Type: RSADSI RC4-HMAC(NT)
Ticket Flags 0x40e10000 -> forwardable renewable initial pre_authent name_canonicalize
Start Time: 10/14/2019 10:31:05 (local)
End Time: 10/14/2019 20:31:05 (local)
Renew Time: 10/21/2019 10:31:05 (local)
Session Key Type: AES-256-CTS-HMAC-SHA1-96
Cache Flags: 0x1 -> PRIMARY
Kdc Called: DC1

#2> Client: administrator @ MY-DOMAIN.ccTLD
Server: HTTP/DC2.MY-DOMAIN.ccTLD @ MY-DOMAIN.ccTLD
KerbTicket Encryption Type: AES-256-CTS-HMAC-SHA1-96
Ticket Flags 0x40a50000 -> forwardable renewable pre_authent ok_as_delegate name_canonicalize
Start Time: 10/14/2019 10:31:48 (local)
End Time: 10/14/2019 20:31:05 (local)
Renew Time: 10/21/2019 10:31:05 (local)
Session Key Type: AES-256-CTS-HMAC-SHA1-96
Cache Flags: 0
Kdc Called: DC1

#3> Client: administrator @ MY-DOMAIN.ccTLD
Server: HTTP/DC3.MY-DOMAIN.ccTLD @ MY-DOMAIN.ccTLD
KerbTicket Encryption Type: AES-256-CTS-HMAC-SHA1-96
Ticket Flags 0x40a50000 -> forwardable renewable pre_authent ok_as_delegate name_canonicalize
Start Time: 10/14/2019 10:31:48 (local)
End Time: 10/14/2019 20:31:05 (local)
Renew Time: 10/21/2019 10:31:05 (local)
Session Key Type: AES-256-CTS-HMAC-SHA1-96
Cache Flags: 0
Kdc Called: DC1

registry changed:

Adding the below registry entry that indicates the default encryption type for pre-authentication didn't change the behaviour. (value indicates AES256 encryption)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Parameters]
"DefaultEncryptionType"=dword:00000011

policy changed:

Changing Local Computer Policy, on the other hand, did. (the policy wasn't configured before) If I untick RC4_HMAC_MD5, no tickets are issued. (klist returns Cached Tickets: (0)) Including RC4_HMAC_MD5 back restores previous condition.

Network security: Configure encryption types allowed for Kerberos
RC4_HMAC_MD5
AES128_HMAC_SHA1
AES256_HMAC_SHA1
Future encryption types

Continue reading...
 
Back
Top Bottom