Blog Post

Core Infrastructure and Security Blog
9 MIN READ

Active Directory Hardening Series - Part 4 – Enforcing AES for Kerberos

JerryDevore's avatar
JerryDevore
Icon for Microsoft rankMicrosoft
Apr 15, 2024
Hi everyone, Jerry Devore here again with another installment in my series on Active Directory hardening.  This time I want to revisit a topic I previously wrote about in September of 2020 which is e...
JerryDevore_0-1713217151872.png
Updated Jan 27, 2025
Version 7.0
ADHardening
JerryDevore
budda's avatar
budda
Copper Contributor
Mar 06, 2025

Thank you JerryDevore amazing work, I appreciate the work :) ! Few floow up questions:

 

  1. Ensure all devices support AES by leveraging the 4768 events (advertised e-types)

    The Advertized Etypes looks like is not populated everytime. Thanks to your articel and investigating 4768 event types I've discovered for example Azure NetApp file storage solutions that are using RC4, here Advertized Etypes is not oupulated.

  2. Enable AES on all SPN enabled service accounts
    Without this step even if the client is supporting AES it will fall back to RC4, correct? 
    You stated that this should be added to ones service account provisioning process as well. Just wondering, is there a way to set it via GPO in a way that one will not have to set it every time ?

Also, what's your take on gMSA, they mitigate kerberoasting pretty much. 

 

Thank you!!!

JerryDevore's avatar
JerryDevore
Icon for Microsoft rankMicrosoft
Mar 07, 2025

Capturing the E-types in 4768 and 4769 events was just added in January.  This is the first I have heard of it not being reported.  When it is missing your best bet is to zero in on the session key.  If the session key for the TGT is RC4 that is because the device avertised that RC4 is the best it could do during the AS-REQ.

 

Session keys are determined by device support.  Ticket encryption type of service tickets is determined by msds-supportedencryptiontypes and the available keys of the target account.  If the account's msds-supportedencryption supports RC4 and AES but the account only has RC4 keys, it will fall back to RC4 encrypted tickets.

 

The are two benefits with gMSAs.  They have very long passwords and they automatically set a value for msds-supportedencryptiontypes.  Regular accounts being used as a service account does not have a value for msds-supportedencryptiontypes until you set it.  If the value is blank the KDC will defaut to issuing RC4 encrypted tickets.