none
while configuring the multiple encryption type using ktpass command but the cached ticket only for one encryption type displayed

    Question

  • Hello,

    We have configured AD DC on windows 2012 R2 and executed ktpass command as follows: C:\Users\Administrator>ktpass -princ host/<hostname>@<active directory domain> -mapuser <domain name>\TestU1 -pass * -crypto AES128-SHA1 -ptype KRB5_NT_PRINCIPAL -out C:\KeyTab\TestAES128.keytab

    and login into windows client (windows 8.1 machine) with the domain user TestU1.


    1. We have executed the ktpass command for
    AES256-SHA1 and AES128-SHA1 encryption type [created 2 keytab files] but while login into the domain user in windows 8.1 machine and by executing the klist command on windows 2012 R2 machine cached ticket regarding encryption type AES256-SHA1 [KerbTicket Encryption Type: AES-256-CTS-HMAC-SHA1-96] is displayed and ticket regarding encryption type AES128-SHA1 is not displayed.
    2. Even after clear the kerberos ticket from the cache [klist -purge] and again login with the domain user into windows 8.1 machine and
    by using the klist command on windows 2012 R2 machine cached ticket regarding encryption type AES256-SHA1 [KerbTicket Encryption Type: AES-256-CTS-HMAC-SHA1-96] is displayed and ticket regarding encryption type AES128-SHA1 is not displayed.

    Please help in configuring it.

    Thank You

    Wednesday, December 7, 2016 5:33 PM

Answers

  • This is normal behavior.  Kerberos tickets are only going to make use of encryption algorithm at a time.   It doesn't matter how many different encryption types you placed into the keytab using ktpass.  Per the SPNEGO process, client and server will agree on the strongest encryption algorithm and use that.  They are not going to use two at the same time.  You have a mis-understanding about this.  Refer to RFC 1510 and RFC 4120, for more details.

    Best Regards, Todd Heron | Active Directory Consultant

    • Proposed as answer by thutmose Thursday, December 8, 2016 2:59 AM
    • Marked as answer by Programmer1982 Thursday, December 8, 2016 3:44 PM
    Wednesday, December 7, 2016 9:14 PM

All replies

  • This is normal behavior.  Kerberos tickets are only going to make use of encryption algorithm at a time.   It doesn't matter how many different encryption types you placed into the keytab using ktpass.  Per the SPNEGO process, client and server will agree on the strongest encryption algorithm and use that.  They are not going to use two at the same time.  You have a mis-understanding about this.  Refer to RFC 1510 and RFC 4120, for more details.

    Best Regards, Todd Heron | Active Directory Consultant

    • Proposed as answer by thutmose Thursday, December 8, 2016 2:59 AM
    • Marked as answer by Programmer1982 Thursday, December 8, 2016 3:44 PM
    Wednesday, December 7, 2016 9:14 PM
  • Hello Todd,

    Thank you very much for your response.

    Our purpose is to test various encryption methods for the single sign on therefore we have created many keytab files for various encryption types.

    But all the time it uses encryption type AES-256-CTS-HMAC-SHA1-96.

    Please suggest how we can use AES128-SHA1 encryption instead of AES-256-CTS-HMAC-SHA1-96.

    How can we remove the encryption type AES-256-CTS-HMAC-SHA1-96 from keytab files.

    Thank You

    Thursday, December 8, 2016 6:17 AM
  • I've answered the original question; you should mark it as such so that it may help others when searching for the same or similar question.  Your latest comment is a whole new question, and so it should be asked in the form of a new question.  I apologize; but I will discontinue answering further until this is done.

    Best Regards, Todd Heron | Active Directory Consultant

    Thursday, December 8, 2016 12:48 PM