最近UK 有新同事在看到DC 有event log
While processing a TGS request for the target server %1, the account %2
did not have a suitable key for generating a Kerberos ticket (the
missing key has an ID of %3). The requested etypes were %4. The accounts
available etypes were %5. Changing or resetting the password of %6 will
generate a proper key.
Event ID 16 - Kerberos Key Integrity
綱上找一下, 發覺原來AD trust 還是用RC4,但win10 /new CIS 巳經停用RC4
In GPO "Network security: Configure encryption types allowed for Kerberos"
原來DC 自己會用AES 但cross domain 時會用RC4
https://docs.microsoft.com/en-us/troubleshoot/windows-server/windows-security/unsupported-etype-error-accessing-trusted-domain
At a very high level, a domain controller (DC) is responsible for managing access requests within its own domain. As part of the Kerberos authentication process, the DC checks that both the client and the service can use the same Kerberos encryption type. However, when a client requests access to a service in a different, trusted domain, the client's DC must "refer" the client to a DC in the service's domain. When the DC builds the referral ticket, instead of comparing the encryption types of the client and the service, it compares the encryption types of the client and the trust.
The problem occurs because of the configuration of the trust itself. In Active Directory, a domain object has associated trusted domain objects (TDOs) that represent each domain that it trusts. The attributes of a TDO describe the trust relationship, including the Kerberos encryption types that the trust supports. The default relationship between a child domain and a parent domain is a two-way transitive trust that supports the RC4 encryption type. Both the parent and the child domain have TDOs that describe this relationship, including the encryption type.
用ksetup 去做,否則用GUI 揀AES 會自動停用RC4
ksetup /setenctypeattr it.contoso.com RC4-HMAC-MD5 AES128-CTS-HMAC-SHA1-96 AES256-CTS-HMAC-SHA1-96
可以用ADSIEDIT 去看現在在用什麼
system-> trust domain , right click properly MsDS-SupportedEncryptionTypes
https://syfuhs.net/lessons-in-disabling-rc4-in-active-directory
https://techcommunity.microsoft.com/t5/itops-talk-blog/tough-questions-answered-can-i-disable-rc4-etype-for-kerberos-on/ba-p/382718
https://techcommunity.microsoft.com/t5/core-infrastructure-and-security/decrypting-the-selection-of-supported-kerberos-encryption-types/ba-p/1628797
Updated, in Solaris, you need to change krb5.conf to use AES
在Solaris11 你需要改krb5.conf 去支持AES
留言
發佈留言