none
While using the encryption type RC4-HMAC-NT, AES128-SHA1 and AES256-SHA1, kerberos connection failing

    Question

  • Hi,

    After configuring the DES-BSC-CRC and DES-CBC-MD5 encryption type, from the client machine connection to the principal becomes successful.
    but when using the any of the encryption type RC4-HMAC-NT, AES128-SHA1 or AES256-SHA1 connection to the principal failed, due to principal is not able to decrypt the ticket.

    To perform the kerberos connection test configuration is done as follows:

    1. Set up AD DC on windows server 2012 R2

    2. Created a domain user and checked the corresponding option in case of AES128-SHA1 "This account supports Kerberos AES 128 bit encryption" and "do not require Kerberos pre authentication".

    3. On the windows server 2012 R2, in local Policies->Security Options ->"Network Security: configure encryption type allowed for Kerberos" AES_128_HMAC_SHA1 and AES_256_HMAC_SHA1 is selected
    4. On windows 2012 R2, by using ADSIEDIT.msc, value of  msDS-SupportedEncryptionTypes is set to 28.
    5. On the windows client machine [windows 8.1] which is in same domain, in local Policies->Security Options ->"Network Security: configure encryption type allowed for Kerberos" AES_128_HMAC_SHA1  and AES_256_HMAC_SHA1 is selected.
    6. Created keytab file on windows 2012 Server R2 by using the KTPASS command [corresponding encryption type is used with -crypto option]
    ktpass -princ host/<host name>@domain name -mapuser <domain user name> -pass <passwd of domain user> -crypto AES128-SHA1 -ptype KRB5_NT_PRINCIPAL -out C:\KeyTab\Test4AES-128-U6.keytab
    and KTPASS executed successfully.
    7. login in the windows machine [windows 8.1] with the domain user as used in KTPASS command and trying to access the  resource as configured as principal in KTPASS command
    Please suggest any other settings required to perform the kerberos connection by using the RC4-HMAC-NT, AES128-SHA1 or AES256-SHA1 encryption type.
    Thank You

    Thursday, March 2, 2017 1:35 PM

All replies

  • Hi,

    I noticed that you have posted several similar threads in our forum and sorry for the limited help on this case. I will do more research about this scenario and keep you posted if there is any useful information.

    Best Regards,

    Alvin Wang


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Friday, March 3, 2017 9:25 AM
    Moderator