T
taniv
Hello Everyone,
in three Windows Server 2016 domain controlers, one domain, no trusts, enviroment, we are getting all tickets regarding krbtgt service encrypted RSADSI RC4-HMAC(NT) and all others AES-256-CTS-HMAC-SHA1-96. We'd like to go all AES256.
Any information about the isue will be appreciated.
klist run on DC1 (restored VM to test enviroment)
C:\Users\Administrator.MY-DOMAIN>klist
Current LogonId is 0:0x153e066
Cached Tickets: (4)
#0> Client: administrator @ MY-DOMAIN.ccTLD
Server: krbtgt/MY-DOMAIN.ccTLD @ MY-DOMAIN.ccTLD
KerbTicket Encryption Type: RSADSI RC4-HMAC(NT)
Ticket Flags 0x60a10000 -> forwardable forwarded renewable pre_authent name_canonicalize
Start Time: 10/14/2019 10:31:48 (local)
End Time: 10/14/2019 20:31:05 (local)
Renew Time: 10/21/2019 10:31:05 (local)
Session Key Type: AES-256-CTS-HMAC-SHA1-96
Cache Flags: 0x2 -> DELEGATION
Kdc Called: DC1
#1> Client: administrator @ MY-DOMAIN.ccTLD
Server: krbtgt/MY-DOMAIN.ccTLD @ MY-DOMAIN.ccTLD
KerbTicket Encryption Type: RSADSI RC4-HMAC(NT)
Ticket Flags 0x40e10000 -> forwardable renewable initial pre_authent name_canonicalize
Start Time: 10/14/2019 10:31:05 (local)
End Time: 10/14/2019 20:31:05 (local)
Renew Time: 10/21/2019 10:31:05 (local)
Session Key Type: AES-256-CTS-HMAC-SHA1-96
Cache Flags: 0x1 -> PRIMARY
Kdc Called: DC1
#2> Client: administrator @ MY-DOMAIN.ccTLD
Server: HTTP/DC2.MY-DOMAIN.ccTLD @ MY-DOMAIN.ccTLD
KerbTicket Encryption Type: AES-256-CTS-HMAC-SHA1-96
Ticket Flags 0x40a50000 -> forwardable renewable pre_authent ok_as_delegate name_canonicalize
Start Time: 10/14/2019 10:31:48 (local)
End Time: 10/14/2019 20:31:05 (local)
Renew Time: 10/21/2019 10:31:05 (local)
Session Key Type: AES-256-CTS-HMAC-SHA1-96
Cache Flags: 0
Kdc Called: DC1
#3> Client: administrator @ MY-DOMAIN.ccTLD
Server: HTTP/DC3.MY-DOMAIN.ccTLD @ MY-DOMAIN.ccTLD
KerbTicket Encryption Type: AES-256-CTS-HMAC-SHA1-96
Ticket Flags 0x40a50000 -> forwardable renewable pre_authent ok_as_delegate name_canonicalize
Start Time: 10/14/2019 10:31:48 (local)
End Time: 10/14/2019 20:31:05 (local)
Renew Time: 10/21/2019 10:31:05 (local)
Session Key Type: AES-256-CTS-HMAC-SHA1-96
Cache Flags: 0
Kdc Called: DC1
registry changed:
Adding the below registry entry that indicates the default encryption type for pre-authentication didn't change the behaviour. (value indicates AES256 encryption)
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Parameters]
"DefaultEncryptionType"=dword:00000011
policy changed:
Changing Local Computer Policy, on the other hand, did. (the policy wasn't configured before) If I untick RC4_HMAC_MD5, no tickets are issued. (klist returns Cached Tickets: (0)) Including RC4_HMAC_MD5 back restores previous condition.
Network security: Configure encryption types allowed for Kerberos
RC4_HMAC_MD5
AES128_HMAC_SHA1
AES256_HMAC_SHA1
Future encryption types
Continue reading...
in three Windows Server 2016 domain controlers, one domain, no trusts, enviroment, we are getting all tickets regarding krbtgt service encrypted RSADSI RC4-HMAC(NT) and all others AES-256-CTS-HMAC-SHA1-96. We'd like to go all AES256.
Any information about the isue will be appreciated.
klist run on DC1 (restored VM to test enviroment)
C:\Users\Administrator.MY-DOMAIN>klist
Current LogonId is 0:0x153e066
Cached Tickets: (4)
#0> Client: administrator @ MY-DOMAIN.ccTLD
Server: krbtgt/MY-DOMAIN.ccTLD @ MY-DOMAIN.ccTLD
KerbTicket Encryption Type: RSADSI RC4-HMAC(NT)
Ticket Flags 0x60a10000 -> forwardable forwarded renewable pre_authent name_canonicalize
Start Time: 10/14/2019 10:31:48 (local)
End Time: 10/14/2019 20:31:05 (local)
Renew Time: 10/21/2019 10:31:05 (local)
Session Key Type: AES-256-CTS-HMAC-SHA1-96
Cache Flags: 0x2 -> DELEGATION
Kdc Called: DC1
#1> Client: administrator @ MY-DOMAIN.ccTLD
Server: krbtgt/MY-DOMAIN.ccTLD @ MY-DOMAIN.ccTLD
KerbTicket Encryption Type: RSADSI RC4-HMAC(NT)
Ticket Flags 0x40e10000 -> forwardable renewable initial pre_authent name_canonicalize
Start Time: 10/14/2019 10:31:05 (local)
End Time: 10/14/2019 20:31:05 (local)
Renew Time: 10/21/2019 10:31:05 (local)
Session Key Type: AES-256-CTS-HMAC-SHA1-96
Cache Flags: 0x1 -> PRIMARY
Kdc Called: DC1
#2> Client: administrator @ MY-DOMAIN.ccTLD
Server: HTTP/DC2.MY-DOMAIN.ccTLD @ MY-DOMAIN.ccTLD
KerbTicket Encryption Type: AES-256-CTS-HMAC-SHA1-96
Ticket Flags 0x40a50000 -> forwardable renewable pre_authent ok_as_delegate name_canonicalize
Start Time: 10/14/2019 10:31:48 (local)
End Time: 10/14/2019 20:31:05 (local)
Renew Time: 10/21/2019 10:31:05 (local)
Session Key Type: AES-256-CTS-HMAC-SHA1-96
Cache Flags: 0
Kdc Called: DC1
#3> Client: administrator @ MY-DOMAIN.ccTLD
Server: HTTP/DC3.MY-DOMAIN.ccTLD @ MY-DOMAIN.ccTLD
KerbTicket Encryption Type: AES-256-CTS-HMAC-SHA1-96
Ticket Flags 0x40a50000 -> forwardable renewable pre_authent ok_as_delegate name_canonicalize
Start Time: 10/14/2019 10:31:48 (local)
End Time: 10/14/2019 20:31:05 (local)
Renew Time: 10/21/2019 10:31:05 (local)
Session Key Type: AES-256-CTS-HMAC-SHA1-96
Cache Flags: 0
Kdc Called: DC1
registry changed:
Adding the below registry entry that indicates the default encryption type for pre-authentication didn't change the behaviour. (value indicates AES256 encryption)
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Parameters]
"DefaultEncryptionType"=dword:00000011
policy changed:
Changing Local Computer Policy, on the other hand, did. (the policy wasn't configured before) If I untick RC4_HMAC_MD5, no tickets are issued. (klist returns Cached Tickets: (0)) Including RC4_HMAC_MD5 back restores previous condition.
Network security: Configure encryption types allowed for Kerberos
RC4_HMAC_MD5
AES128_HMAC_SHA1
AES256_HMAC_SHA1
Future encryption types
Continue reading...