Microsoft
MicrosoftHi, I'm confused a bit
"Disabling RC4 support on devices should follow remediation of service accounts. Otherwise RC4 service tickets could be issued for devices that will not accept them."
then
"Once you have identified and remediated any device defaulting to RC4 you can ramp up your efforts to enable AES on your SPN enabled service accounts."
aren't the two contraditcing each other ??
Don't think so. If my understanding is correct:
The first sentence is about removing RC4 from devices which supports both RC4 AND AES.
The second is about devices which support RC4 but NOT AES
MicrosoftHi budda - I can see why that can be confusing.
If you have devices in your environment that cannot support AES (legacy system like 2003, XP, etc) you have to be careful when enabling AES on service accounts. For example if you are using an IIS pool account (SPN enabled service account) on a 2003 server and and you enable AES on that service account, the KDC will begin to encrypt tickets for that account with AES and IIS will not be able to use those tickets. If you have no devices that are incapable of AES then then is no need to be cautious hence the "ramp us your efforts" statement.
Disabling RC4 in the operating system of a device will prevent it from accepting a RC4 Kerberos ticket which is why you want to make sure the tickets consumed by a device are AES before you apply the policy to disable RC4.
Generically speaking the order of events should look like this. However, you could address invidual devices and accounts but that requires fully understanding where service accounts are being use to host services.
Thank you JerryDevore amazing work, I appreciate the work :) ! Few floow up questions:
Also, what's your take on gMSA, they mitigate kerberoasting pretty much.
Thank you!!!
MicrosoftCapturing the E-types in 4768 and 4769 events was just added in January. This is the first I have heard of it not being reported. When it is missing your best bet is to zero in on the session key. If the session key for the TGT is RC4 that is because the device avertised that RC4 is the best it could do during the AS-REQ.
Session keys are determined by device support. Ticket encryption type of service tickets is determined by msds-supportedencryptiontypes and the available keys of the target account. If the account's msds-supportedencryption supports RC4 and AES but the account only has RC4 keys, it will fall back to RC4 encrypted tickets.
The are two benefits with gMSAs. They have very long passwords and they automatically set a value for msds-supportedencryptiontypes. Regular accounts being used as a service account does not have a value for msds-supportedencryptiontypes until you set it. If the value is blank the KDC will defaut to issuing RC4 encrypted tickets.
