none
Not able to set the encryption type for Ticket granting ticket of kerberos ticket

    Question

  • Hi

    I have done the configuration as follows:

    1. Set up AD DC on windows server 2012 R2

    2. Created a domain user and not checked the option "This account supports Kerberos AES 128 bit encryption", "This account supports Kerberos AES 256 bit encryption", "use Kerberos DES encryption type for this account" for this domain user and "do not require Kerberos pre authentication is checked"

    3. Created keytab file on windows 2012 Server R2 by using the KTPASS command

    ktpass -princ host/<host name>@domain name -mapuser <domain user name> -pass <passwd of domain user> -crypto RC4-HMAC-NT -ptype KRB5_NT_PRINCIPAL -out C:\KeyTab\TestHMAC4-U6.keytab

    and KTPASS executed successfully.

    4. login in the windows machine [windows 8.1] with the domain user as used in KTPASS command and accessed  the resource but while accessing the resource authentication gets failed.

    5. following tickets are displayed in the Kerberos ticket manager at windows client machine:

    Principal                                                          Valid Untill                        encryption type

    krbtgt/domain name@domain name                   <validity time>             session key: aes256-cts-hmac-sha1-96

    host/hostname@domain name                           <validity time>             session key:arcfour-hmac

    ldap/kdc name@domain name                            <validity time>             session key: aes256-cts-hmac-sha1-96

    LDAP/KDC NAME/domain name@domain name     <validity time>             session key: aes256-cts-hmac-sha1-96

    As RC4-HMAC-NT is used in Ktpass command then why encryption type aes256-cts-hmac-sha1-96 is displayed for tgt tickets and various other tickets.

    please suggest how to use encryption type RC4-HMAC-NT for tgt tickets and other tickets as shown above.

    Thank You

    Friday, February 10, 2017 12:56 PM

All replies

  • Hi Programmer1982, this is a re-post of the same answer I gave to this question on SO over here: Not able to set the encryption type for Ticket granting ticket of kerberos ticket.  Posting it here in case you don't see it over there.

    While I don't have first-hand knowledge of the BS2000, I can still answer your questions (you have two here). 

    For the 1st question, "As RC4-HMAC-NT is used in Ktpass command then why encryption type aes256-cts-hmac-sha1-96 is displayed for tgt tickets and various other tickets." The answer is Windows 2012 R2 Active Directory uses aes256-cts-hmac-sha1-96 by default for ALL Kerberos tickets. RC4-HMAC-NT as a Windows default encryption type was last seen back in the Windows 2003/2000 Active Directory days. Today, and only under certain circumstances, is it still tried as a fallback mechanism, which is what happened in this case, because neither the AES nor the DES options were checked on the AD account and all you had was RC4 support inside the keytab itself. One has to work really hard on a Windows 2012 R2 AD network in order to use only the RC4-HMAC-NT encryption type and you would use Group Policy to accomplish that (good topic for another question).

    For the your 2nd question, "Please suggest how to use encryption type RC4-HMAC-NT for tgt tickets and other tickets as shown above." On this, the answer is you don't (reference my first statement). You can however, specify RC4-HMAC-NT as the encryption type inside the keytab, as you've done. But if nothing else in the network supports that, then Kerberos authentication will fail, so I would suggest you use AES 256. I did some research on the BS2000, and as a mainframe computer operating system, it seems unlikely that it would support RC4-HMAC-NT. I'd go with the more industry-standard AES 256 encryption version with that.

    If I were you, I would re-create you keytab like the below example (delete the SPN from the AD account linked to the keytab first), and also in the AD account properties check the option "This account supports Kerberos AES 256 bit encryption". During the keytab creation, remove the "@" symbol after the "/" near the beginning of your syntax, nothing will work with that in there like that.

    ktpass -princ host/fully.qualified.domainname -mapuser -pass -crypto AES256-SHA1

    -ptype KRB5_NT_PRINCIPAL -out C:\KeyTab\TestHMAC4-U6.keytab



    Best Regards, Todd Heron | Active Directory Consultant



    • Edited by Todd Heron Sunday, February 12, 2017 7:10 AM
    • Proposed as answer by Todd Heron Saturday, March 4, 2017 2:11 PM
    Sunday, February 12, 2017 7:06 AM
  • Hi,

    I have done the configuration as follows:

    1. Set up AD DC on windows server 2012 R2

    2. Created a domain user and not checked the option "This account supports Kerberos AES 128 bit encryption", "This account supports Kerberos AES 256 bit encryption", "use Kerberos DES encryption type for this account" for this domain user and "do not require Kerberos pre authentication is checked"

    3. Created keytab file on windows 2012 Server R2 by using the KTPASS command

    ktpass -princ host/<host name>@domain name -mapuser <domain user name> -pass <passwd of domain user> -crypto RC4-HMAC-NT -ptype KRB5_NT_PRINCIPAL -out C:\KeyTab\TestHMAC4-U6.keytab

    and KTPASS executed successfully.

    4. login in the windows machine [windows 8.1] with the domain user as used in KTPASS command and accessed  the resource but while accessing the resource authentication gets failed.

    5. following tickets are displayed in the Kerberos ticket manager at windows client machine:

    Principal                                                          Valid Untill                        encryption type

    krbtgt/domain name@domain name                   <validity time>             session key: aes256-cts-hmac-sha1-96

    host/hostname@domain name                           <validity time>             session key:arcfour-hmac

    ldap/kdc name@domain name                            <validity time>             session key: aes256-cts-hmac-sha1-96

    LDAP/KDC NAME/domain name@domain name     <validity time>             session key: aes256-cts-hmac-sha1-96

    As RC4-HMAC-NT is used in Ktpass command but the encryption type aes256-cts-hmac-sha1-96 is displayed for tgt tickets and various other tickets.

    What changes need to be done on Windows 2012 R2 AD network/ Group Policy in order to use only the RC4-HMAC-NT encryption type for tgt tickets and other tickets as shown above.

    Thank You

    Monday, February 13, 2017 9:57 AM
  • Hi; This question is a duplicate of one you posted on 2-12-17: https://social.technet.microsoft.com/Forums/en-US/d1f07a79-ca48-4244-8cf4-fcc407116ac3/not-able-to-set-the-encryption-type-for-ticket-granting-ticket-of-kerberos-ticket?forum=winserverDS.   I left an answer for you on that other one.

    Best Regards, Todd Heron | Active Directory Consultant

    • Proposed as answer by Todd Heron Saturday, March 4, 2017 2:11 PM
    Monday, February 13, 2017 1:30 PM
  • Thank you very much for your response.

    1. I have deleted the SPN from the AD account linked to the keytab.

    2. AD account properties check the option "This account supports Kerberos AES 256 bit encryption".

    3. restart the windows client machine and login with domain user

    4. and recreated keytab file by using the ktpass command with AES256-SHA1 encryption type .

    5. try to access the resource (BS2000 machine) from the windows client [win 8.1] machine

    Kerberos tickets are as follows, but the connect is not successful.

    Principal                                                          Valid Untill                        encryption type

    krbtgt/domain name@domain name                   <validity time>             session key: aes256-cts-hmac-sha1-96

    host/hostname@domain name                           <validity time>             session key: aes256-cts-hmac-sha1-96

    ldap/kdc name@domain name                            <validity time>             session key: aes256-cts-hmac-sha1-96

    LDAP/KDC NAME/domain name@domain name     <validity time>             session key: aes256-cts-hmac-sha1-96

    ========================

    1. I have deleted the SPN from the AD account linked to the keytab.

    2. In AD account properties uncheck the option "This account supports Kerberos AES 256 bit encryption" and check the option "This account supports Kerberos AES 128 bit encryption"

    3. restart the windows client machine and login with domain user

    4. and recreated keytab file by using the ktpass command with AES128-SHA1 encryption type .

    5. try to access the resource (BS2000 machine) from the windows client [win 8.1] machine [in the windows machine login with domain user]

    Kerberos tickets are as follows, but the connection is not successful.

    Principal                                                          Valid Untill                        encryption type

    krbtgt/domain name@domain name                   <validity time>             session key: aes256-cts-hmac-sha1-96

    host/hostname@domain name                           <validity time>             session key: aes128-cts-hmac-sha1-96

    ldap/kdc name@domain name                            <validity time>             session key: aes256-cts-hmac-sha1-96

    LDAP/KDC NAME/domain name@domain name     <validity time>             session key: aes256-cts-hmac-sha1-96

    while using the encryption type AES128-SHA1, why tgt ticket is displayed with encryption type aes256-cts-hmac-sha1-96.

    In the AD user account "do not require Kerberos pre authentication is checked" is checked.

    and in the AD user account properties, radio button Delegation -> "Do not trust this user for delegation" is selected.

    Please suggested is there any other option which any other setting which need to be done to perform successful Kerberos authentication.

    Thank You

    Monday, February 13, 2017 2:20 PM
  • > ldap/kdc name@domain name                            <validity time>             *session key: aes256-cts-hmac-sha1-96*
    > please suggest how to use encryption type RC4-HMAC-NT for tgt tickets and other tickets as shown above.
     
    To add to Todds answer: The client will NEVER use any of these aes256 tickets on its own - it will simply present them to the amentioned principals. These all are able to understand aes256, so everything is fine.
     
     
    Monday, February 13, 2017 3:25 PM
  • Thank you very much for your response.

    >The client will NEVER use any of these aes256 tickets on its own - it will simply present them to the amentioned principals. These all are able to understand aes256, so everything is fine.

    In our environment by using the client machine while trying to connect the principal using the Kerberos authentication method it gets failed every time with invalid authorization.

    Principal is using the MIT Kerberos.

    but one of our customer was able to use the same principal by using the Kerberos authentication and able to login successfully and shared the screen shot.

    In one of the screen shots it shows all the Kerberos tickets on windows client machine in which encryption type for all the tickets are same i.e. while testing the connection with principal using RC4-HMAC-NT encryption type all the Kerberos tickets "krbtgt/domain name@domain name", "host/hostname@domain name", "ldap/kdc name@domain name", "LDAP/KDC NAME/domain name@domain name" are using RC4-HMAC-NT and in case of AES128-SHA1 all the tickets are using AES128-SHA1 encryption type and so on.

    but in our environment only the Kerberos service ticket encryption type is displayed same as the encryption type which is used in KTPASS command, rest of tickets are always using the aes256 encryption type and also the connection to the principal gets failing in case of all the encryption types.

    that's why suspecting the AD DC setup and encryption type of tgt and other tickets and trying to set the encryption type of tgt ticket same as encryption type which is used in KTPASS command.

    please help.

    Thank You

    Tuesday, February 14, 2017 6:22 AM
  • Hi,

    I notice that you have posted a new thread in our forum. We will unified reply you in that thread.

    https://social.technet.microsoft.com/Forums/windowsserver/en-US/c17089a9-d0d1-4c96-8e84-8a766c7e78c6/when-select-aes128sh1-encryption-type-in-local-security-policy-kerberos-tickets-are-not?forum=winserverDS#c17089a9-d0d1-4c96-8e84-8a766c7e78c6

    Best Regards,

    Alvin Wang


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Friday, February 17, 2017 8:18 AM
    Moderator