/build/static/layout/Breadcrumb_cap_w.png

Security Question


Not able to set the encryption type for Ticket granting ticket of kerberos ticket

02/10/2017 1129 views
Hi

I have done the configuration as follows:

1. Set up AD DC on windows server 2012 R2

2. Created a domain user and not checked the option "This account supports Kerberos AES 128 bit encryption", "This account supports Kerberos AES 256 bit encryption", "use Kerberos DES encryption type for this account" for this domain user and "do not require Kerberos pre authentication is checked"

3. Created keytab file on windows 2012 Server R2 by using the KTPASS command


ktpass -princ host/<host name>@domain name -mapuser <domain user name> -pass <passwd of domain user> -crypto RC4-HMAC-NT -ptype KRB5_NT_PRINCIPAL -out C:\KeyTab\TestHMAC4-U6.keytab

and KTPASS executed successfully.

4. login in the windows machine [windows 8.1] with the domain user as used in KTPASS command and accessed  the resource but while accessing the resource authentication gets failed.

5. following tickets are displayed in the Kerberos ticket manager at windows client machine:

Principal                                                          Valid Untill                        encryption type

krbtgt/domain name@domain name                   <validity time>             session key: aes256-cts-hmac-sha1-96

host/hostname@domain name                           <validity time>             session key:arcfour-hmac


ldap/kdc name@domain name                            <validity time>             session key: aes256-cts-hmac-sha1-96

LDAP/KDC NAME/domain name@domain name     <validity time>             session key: aes256-cts-hmac-sha1-96

As RC4-HMAC-NT is used in Ktpass command then why encryption type aes256-cts-hmac-sha1-96 is displayed for tgt tickets and various other tickets.

please suggest how to use encryption type RC4-HMAC-NT for tgt tickets and other tickets as shown above.

Thank You
0 Comments   [ + ] Show comments

Comments


Be the first to answer this question

Don't be a Stranger!

Sign up today to participate, stay informed, earn points and establish a reputation for yourself!

Sign up! or login

View more:

Share

 
This website uses cookies. By continuing to use this site and/or clicking the "Accept" button you are providing consent Quest Software and its affiliates do NOT sell the Personal Data you provide to us either when you register on our websites or when you do business with us. For more information about our Privacy Policy and our data protection efforts, please visit GDPR-HQ