Microsoft
Microsoft
I want to disable RC4 in the environment.
SAP Kerberos Service Account :
- already setting never expired
- pwdlastset : 7/12/2020
- Already setting SPN : HTTP/portal.domain
Service ID:
CONTOSODOMAIN\Kerberos_SAP
- user01@CONTOSO.DOMAIN is normal ad user
Client Address:
::ffff:10.XX.XX.XX -- client computer Win 11 Enterprise
Client MSDS-SupportedEncryptionTypes : 31
My question is: Why is the Ticket Encryption Type returning 0x17?
Do I need to set msDS-SupportedEncryptionTypes to 0x18 for the Client object first?
or CONTOSODOMAIN\Kerberos_SAP service account ?
A Kerberos service ticket was requested.
Account Information:
Account Name:
user01@CONTOSO.DOMAIN
Account Domain:
CONTOSO.DOMAIN
Logon GUID:
{20ee2c33-ed0a-6054-ccb2-342a02ad4f39}
MSDS-SupportedEncryptionTypes:
N/A
Available Keys:
N/A
Service Information:
Service Name:
Kerberos_SAP
Service ID:
CONTOSODOMAIN\Kerberos_SAP
MSDS-SupportedEncryptionTypes:
0x27 (DES, RC4, AES-Sk)
Available Keys:
AES-SHA1, RC4
Domain Controller Information:
MSDS-SupportedEncryptionTypes:
0x1F (DES, RC4, AES128-SHA96, AES256-SHA96)
Available Keys:
AES-SHA1, RC4
Network Information:
Client Address:
::ffff:10.XX.XX.XX
Client Port:
51584
Advertized Etypes:
AES256-CTS-HMAC-SHA1-96
AES128-CTS-HMAC-SHA1-96
RC4-HMAC-NT
DES-CBC-MD5
DES-CBC-CRC
RC4-HMAC-NT-EXP
RC4-HMAC-OLD-EXP
Additional Information:
Ticket Options:
0x40810000
Ticket Encryption Type:
0x17
Session Encryption Type:
0x12
Failure Code:
0x0
Transited Services:
-
Ticket information
Request ticket hash:
5zhVD4CEQA55SBNn1NN4Y2cxnTR/DxKFQfBLqWmhbMs=
Response ticket hash:
HWqrnwiW+itOtUTZiilYulqrnNjMmhe4guyIwx17ezQ=
This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested.
This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket.
Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120.
MicrosoftHi MaxC0der88 - The ticket encryption type is not dependent on the settings of the requesting account (user01) or the client computer. The session key on the other hand does have dependencies on them. At a glance everything looks correct on the Kerberos_SAP account (msds-supportedencryptiontypes is 0x1F and password was last changed 7/12/2020 and the 4769 event shows available key are AES-SHA1 and RC4). The first thing I would try is changing the password of Kerbero_SAP one more time. In some cases the KDC wants to have a N-1 AES Key before issuing an AES encrypted ticket and it is possible the account does not have history for the AES keys. Once that change has replicated you can test it from any domain joined devices by executing klist get HTTP/portal.domain which will cause the client to request a service ticket. If that does not help try changing msds-supportedencryptiontypes to 0x1C (decimal 28)on Kerberos_SAP. On paper that should not be necessary but it would be worth testing since 0x1c is a more common value when you want to enable RC4, AES128 and AES1256
