none
when select AES128-SH1 encryption type in local security policy Kerberos tickets are not created/displayed

    Question

  • Hi

    Configuration is as follows:

    1. Set up AD DC on windows server 2012 R2

    2. Created a domain user and checked the option "This account supports Kerberos AES 128 bit encryption" and "do not require Kerberos pre authentication".

    3. On the windows server 2012 R2, in local Policies->Security Options ->"Network Security: configure encryption type allowed for Kerberos" only AES_128_HMAC_SHA1 is selected

    4. On the windows client machine [windows 8.1] which is in same domain, in local Policies->Security Options ->"Network Security: configure encryption type allowed for Kerberos" only AES_128_HMAC_SHA1 is selected

    5. Created keytab file on windows 2012 Server R2 by using the KTPASS command

    ktpass -princ host/<host name>@domain name -mapuser <domain user name> -pass <passwd of domain user> -crypto AES128-SHA1 -ptype KRB5_NT_PRINCIPAL -out C:\KeyTab\Test4AES-128-U6.keytab

    and KTPASS executed successfully.

    6. login in the windows machine [windows 8.1] with the domain user as used in KTPASS command and trying to access the  resource as configured as principal in KTPASS command

    7. In windows client machine in Kerberos ticket manager none of the tickets are displayed, neither tgt tickets or service tickets are appeared and also not able to access the principal.

    8. when changing the local Policies->Security Options ->"Network Security: configure encryption type allowed for Kerberos" and select AES_256_HMAC_SHA1, AES_128_HMAC_SHA1, RC4_HMAC_MD5, DES_CBC_CRC and DES_SBC_MD5 is selected on windows server and client machine then Kerberos tickets are displayed in Kerberos ticket manager.

    9. Please suggest is their any additional setting need to be performed by which Kerberos tickets can be created by only selecting the AES_128_HMAC_SHA1 in local security policies as we need to use only AES128-SHA1 to perform/Test the Kerberos connection.

    Thank You


    • Edited by Programmer1982 Friday, February 17, 2017 7:20 AM Rephrased
    Wednesday, February 15, 2017 3:24 PM

All replies

  • Hi,

    Please check if the below article helps:

    Windows Configuration for Kerberos Supported Encryption Type

    https://blogs.msdn.microsoft.com/openspecification/2011/05/30/windows-configurations-for-kerberos-supported-encryption-type/

    Best Regards,

    Alvin Wang


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Friday, February 17, 2017 7:19 AM
    Moderator
  • Thank you very much for your response.

    I have followed the article as mentioned in above response, but the situation remains same.

    In the scenario as mentioned below:

    1. for the domain user checked the option "This account supports Kerberos AES 128 bit encryption" and "do not require Kerberos pre authentication".

    2. On the windows server 2012 R2, in local Policies->Security Options ->"Network Security: configure encryption type allowed for Kerberos" only AES_128_HMAC_SHA1 is selected

    3. On the windows client machine [windows 8.1] which is in same domain, in local Policies->Security Options ->"Network Security: configure encryption type allowed for Kerberos" only AES_128_HMAC_SHA1 is selected

    4. Executed the command adsiedit.msc and in the windows client machine [win 8.1] properties, changed the attribute "msDS-SupportedEncryptionTypes" to 08 [AES_128_HMAC_SHA1].

    5. restart Windows server and windows client machines.

    6. Created keytab file on windows 2012 Server R2 by using the KTPASS command

    ktpass -princ host/<host name>@domain name -mapuser <domain user name> -pass <passwd of domain user> -crypto AES128-SHA1 -ptype KRB5_NT_PRINCIPAL -out C:\KeyTab\Test4AES-128-U6.keytab

    and KTPASS executed successfully.

    7. login in the windows client machine [windows 8.1] with the domain user as used in KTPASS command and trying to access the  resource as configured as principal in KTPASS command

    8. In windows client machine in Kerberos ticket manager none of the tickets are displayed, neither tgt tickets or service tickets are appeared and also not able to access the principal.

    9. As soon as in local Policies->Security Options ->"Network Security: configure encryption type allowed for Kerberos" and select AES_256_HMAC_SHA1, AES_128_HMAC_SHA1 is selected on windows server and client machine and check the check box "This account supports Kerberos AES 128 bit encryption" in user account properties and change the value of "msDS-SupportedEncryptionTypes" attribute is set to 24 [AES128-SHA1 + AES256-SH1] and login in windows client machine then Kerberos tickets are displayed in Kerberos ticket manager.

    Means when only AES128-SH1 encryption type is selected in local security policy Kerberos tickets are not created/displayed.

    Thank You

    Friday, February 17, 2017 1:34 PM
  • Hi,

    I am sorry that this issue still hasn't been resolved.

    If there is no progress, I would suggest you contact Microsoft Customer Services and Support to get an efficient solution:

    http://support.microsoft.com/contactus/?ln=en-au

    Have a nice day.

    Best Regards,

    Alvin Wang


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Tuesday, February 21, 2017 6:35 AM
    Moderator
  • Thanks for your response.

    Microsoft support person available at the link http://support.microsoft.com/contactus/?ln=en-au is not able to help.

    Thank You

    Friday, February 24, 2017 2:57 PM