none
while configuring the encryption type using ktpass and kinit command corresponding encryption type cached ticket is not displayed

    Question

  • To test the single sign on using various encryption methods we have created various keytab files using the ktpass command.
    Ktpass command is executed for same user [Test1] and different encryption types [RC4-HMAC, AES128-CTS] and multiple keytab files are created.
    below command is executed from administrator command prompt:
    C:\Users\Administrator>ktpass -princ host/<hostname>@<active directory domain> -mapuser <domain name>\TestU1 -pass * -crypto RC4-HMAC-NT -ptype KRB5_NT_PRINCIPAL -out C:\KeyTab\TestHMAC.keytab
    by using the KTPASS command corresponding to various encryption types[RC4-HMAC, AES128-CTS], multiple keytab files were created.
    and on the machine windows server 2012 R2 [where AD DC is configured] krb5.ini(*1) file is created at location C:\winnt and from the administrator command prompt kinit command is executed.
    after executing the kinit command below message displayed:
    "New ticket is stored in cache file C:\Users\Administrator\krb5cc_Administrator"
    After it, login into windows client (windows 8.1 machine) with the domain user TestU1 in the same domain for which AD DC is configured.
    on windows client machine, while executing the klist command from the user's command prompt, 3 cached ticket regarding encryption type AES256-SHA1
    [KerbTicket Encryption Type: AES-256-CTS-HMAC-SHA1-96] is displayed and ticket regarding encryption type RC4-HMAC-NT is not displayed.
    also while executing the klist command on windows server 2012 R2 machine, one ticket is displayed ans it is also related with KerbTicket Encryption Type: AES-256-CTS-HMAC-SHA1-96.
    please suggest how to remove the encryption type AES-256-CTS-HMAC-SHA1-96 ticket and use RC4-HMAC-NT tickets.

    (*1) krb5.ini file used in klist command is as follows:
    [libdefaults]
    default_realm = <domain name>
    dns_lookup_kdc = true
    dns_lookup_realm = true
     default_keytab_name = FILE:C:\KeyTab\TestHMAC.keytab
            default_tkt_enctypes = rc4-hmac
            default_tgs_enctypes = rc4-hmac
    [realms]
            FTS.HCL.COM = {
       kdc = <windows server 2012 R2 machine name>.<domain name>
                  default_domain = <domain name>       
    }

    Thank You

    Friday, January 20, 2017 2:00 PM

All replies

  • Windows 7, and Windows 2008 R2 and above, use encryption type AES-256-CTS-HMAC-SHA1-96 by default.  That's the current de facto standard today.  By and large, only Windows-based systems will undertsand RC4-HMAC-NT, so I would not suggest any further focus on that.  Though, since you asked the question, and as an exercise, if you are dead set on using RC4-HMAC-NT, go to the AD account which is linked to the SPN host/<hostname>@<active directory domain>, and un-check the box "This account supports Kerberos AES 256 bit encryption" .  Purge the Keberos client cache before you do this with the klist -purge command, so that the new ticket will come in showing the RC4-HMAC-NT encryption type.

    Side note: To find the AD account linked to the SPN host/<hostname>@<active directory domain>, run the command setspn -Q host/<hostname>@<active directory domain>, and the account will be revealed in the output.  If DNS is set up correctly, the shorter command setspn -Q host/<hostname> will also reveal the AD account linked to the SPN.  In your case, I think the AD account name is TestU1.


    Best Regards, Todd Heron | Active Directory Consultant

    • Proposed as answer by netbel Monday, January 23, 2017 9:40 PM
    Friday, January 20, 2017 3:04 PM
  • Thank you for your response.

    "This account supports Kerberos AES 256 bit encryption" check box for the associated user is already not set.

    and command klist purge is executed and again login in the client machine with AD DC domain user but still the 3 cached ticket regarding encryption type AES256-SHA1 [KerbTicket Encryption Type: AES-256-CTS-HMAC-SHA1-96] is displayed and ticket regarding encryption type RC4-HMAC-NT is not displayed.

    Thank you

    Tuesday, January 24, 2017 7:31 AM
  • Please un-check all three of the encryption boxes in that area, reboot the client machine, and try again.

    Best Regards, Todd Heron | Active Directory Consultant

    Tuesday, January 24, 2017 11:38 AM
  • Thanks for your response.

    >>Please un-check all three of the encryption boxes in that area, reboot the client machine, and try again.

    all the three of the encryption boxes are unchecked for corresponding domain user and reboot the client machine and re-login but the cached ticket regarding encryption type AES256-SHA1 [KerbTicket Encryption Type: AES-256-CTS-HMAC-SHA1-96] is displayed and ticket regarding encryption type RC4-HMAC-NT is not displayed.

    Thank You

    Thursday, February 16, 2017 6:47 AM