Microsoft
MicrosoftHey Rob, Ryan guided me on Twitter to ask you directly here.
I hope I may intrude with a question we have with a problem on the "other siede" of this Service.
I want to improve the security posture of an (undisclosed) org by changing the mscep_admin page to kerberos only as told in KB5005413.
Working now:
The engineer runs "curl --ntlm ... "to the mscep_admin endpoint now and gets the "code token back"
I changed the auth settings on this IIS endpoint to negotiate:kerberos (removed NTLM) and disabled the "kernel mode auth" on the advanced settings.
The linux client has a kerberos ticket (klist), if it runs the curl command with --negotiate -u : we just get a "401 not authorised" back and see no username in the IIS logfile. The field is just empty. If we try this from a windows box with Kerberos it works.
Do you have a suggestion where I can look to dive deeper? As for some debug view or other insight?
I just set up a blank server 2022 adatum test environment and test with some kali linux to get ahead of this. As of now for no avail. It would be great if you could push me in the right direction where I should look. thank you!
