MicrosoftCan't get this to work in our environment. Whenever enforcing the policy the affected users are restricted from access to any server, even allowed ones. Help appreciated.
"KDC\Support Kerberos amoring |...|" policy enabled and set to supported in default dc policy, and "Kerberos\claim support" enabled in policy hitting member servers (currently not using the default domain policy but just targeting specific devices).
DomainMode : Windows2016Domain.
Auth policy settings:
- Accounts: tier 0 user accounts
(No silos in use.)
- User Sign On: conditions: "(Member of each({ENTERPRISE DOMAIN CONTROLLERS}) Or Member of any({Tier-0-computers (domain\Tier-0-computers)}))"
Computer objects which the tier 0 user accounts should have access to are added to "Tier-0-computers" group.
With the policy in audit mode and logging on to a member server and checking klist, i get no "0x41 -> PRIMARY_FAST"
PS C:\Users\tier0user> $klistOutput = klist tgt | Out-String
>> $cacheFlags = if ($klistOutput -match "Cache Flags:\s+(0x[0-9A-Fa-f]+)") {
>> $matches[1]
>> } else {
>> "Not found"
>> }
>>
>> if ($cacheFlags -eq "0x40" -or $cacheFlags -eq "0x240") {
>> Write-Host "FAST is enabled. Cache Flags: $cacheFlags"
>> } else {
>> Write-Host "FAST is not enabled. Cache Flags: $cacheFlags"
>> }
>>
FAST is not enabled. Cache Flags: Not found
Checking event logs on DC after logon in audit mode...
Event id 4768 indicates:
The Kerberos authentication ticket (TGT) request for the account tier0user was successful.
The ticket was issued with the following details:
The account tier0user in the domain requested a TGT from the Key Distribution Center (KDC).
The service name for the TGT is krbtgt.
The ticket encryption type used was 0x12, which corresponds to AES256-CTS-HMAC-SHA1-96.
The pre-authentication type used was 2, indicating that the standard PA-ENC-TIMESTAMP method was employed.
The result code 0x0 indicates a successful ticket issuance without any errors.
Both the client and the domain controller support multiple encryption types, including AES, RC4, and DES.
The ticket was encrypted using AES256.
The client advertised support for various encryption types, with AES256 being the preferred option.
This successful TGT request indicates that the Kerberos authentication is functioning correctly for this account.
I feel like I'm missing a crucial error in my setup.
MicrosoftWeird, it sounds to me the DC ist not issuing FAST encrypted tickets. How many DC do you have in your environment? I saw from time-to-time in a domain with a single DC FAST will not be enabled and then it worked after several reboots.
Anyway: If you RDP into your DC and run klist, do you see the FAST flag on your TGT? If not validate the GP is applied to the DC.
On the DC both settings KDC and Kerberos support must be enabled
4 dc's, on 3 different sites.
I changed the policy to auth mode only and did a runas on the dc with the test user.
Getting no FAST flag for some reason.
KDC and kerberos settings applied to DCs via Default DC policy.
RSOP shows both "KDC support for claims..." and "Kerberos client support for claims...".
Klist output
#0> Client: tier0user @ thedomain.LOCAL
Server: krbtgt/thedomain.LOCAL @ thedomain.LOCAL
KerbTicket Encryption Type: AES-256-CTS-HMAC-SHA1-96
Ticket Flags 0xe10000 -> renewable initial pre_authent name_canonicalize
Start Time: 2/5/2025 12:05:20 (local)
End Time: 2/5/2025 22:05:20 (local)
Renew Time: 2/12/2025 12:05:20 (local)
Session Key Type: AES-256-CTS-HMAC-SHA1-96
Cache Flags: 0x1 -> PRIMARY
Kdc Called: DCO001
