Decrypting the Selection of Supported Kerberos Encryption Types

I thought i knew something about kerberos and then this blog happened. 

But this is super helpful as we have undertaken a project to get rid of all accounts which are still requesting for Service tickets using RC4. Thanks.

@Jerry Devore brilliant post and is actually pretty succinct for such a complex topic. Been through parts of this process when upgrading a large domain from FFL/DFL 2003 to 2008. It was six months of planning, communicating, monitoring, reporting & testing. But ultimately successful.

Observations & recommendations:

1. Don't forget about non-Windows clients that maybe using AD for Kerberos auth. e.g. Linux, NAS & Network gear
2. Centralised logging is worth the effort and will ultimately save you time for this and other projects - have a look at native WEF (windows Event Forwarding) and Power BI analysis, you can use this blog post by Jessica Payne as a starter - Monitoring what matters - Windows Event Forwarding for everyone (even if you already have a SIEM.) |...
3. Don't forget your blank root domains (remember when those were best-practice)
4. For a FFL/DFL upgrade there really is no viable fall-back you will need to fix and move forward; you need to explain this to management
5. Following on from the last point whilst in practice it is highly unlikely it would be invoked you should know how to do a forest level authoritative restore
6. If you an MS TAM engage with them, have PFE workshops and share the schedule so that a rapid response engineer can be briefed if the worst happens
7. Document, document, document; use this as an exercise to really understand your environment, build relations with app owners and inventory (you'll probably uncover practices that you weren't aware and will scare you)
   
   Paul

The link to the krbtgt script is broken. 

The link to Daniele's blog is also broken, but I was able to at least find it here: https://techcommunity.microsoft.com/t5/itops-talk-blog/tough-questions-answered-can-i-disable-rc4-et...

Thanks for the heads up Chris.  The links have been fixed.

Thanks for an amazing article! After reading it, it was simple to make a plan and implement it without any problems (lucky to not use keytabs in that environment). Now really small number of RC4 are left.

My question: Once we hunt them down and see that AES is used for all TGT and TGS everything to AES, how do we disable RC4 completely? What will happen if we configure msDS-SupportedEncryptionTypes to only support AES on krbtgt account?

The reason for the questions is obvious - now we have cleaned up everything and it looks good. Even if we configure all existing accounts to only support AES and no RC4, there's no guarantee that some time later someone would create a new service account without specifying msDS-SupportedEncryptionTypes attribute or just joins another non-Windows device into domain, which may allow all encryption algorithms by default. Do we need to constantly monitor for such accounts, or can we turn off RC4 once and for all?

Also maybe this fresh article would be nice to mention in your post, as it describes some border cases which may be useful for troubleshooting:
https://syfuhs.net/lessons-in-disabling-rc4-in-active-directory

RossUA - Congrats on nearly eliminating RC4.  To ensure RC4 encryption for Kerberos does not make a comeback in your environment you should disable support for it in the operating system of your devices.  Group policy is one way you can do that using the Network security: Configure encryption types allowed for Kerberos setting.  That setting will modify HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\Kerberos\Parameters\SupportedEncryptionTypes.  If you still have legacy clients that do not support AES you would not want to apply that setting domain wide but you could use it harden modern devices that do not interact with the legacy systems.

The krbtgt account is a bit of a special case in that when it does not have a value defined for msDS-SupportedEncryptionTypes the KDC will still encrypt TGTs with AES.  Configuring krbtgt to only support AES before you eliminated the legacy devices will be problematic given those devices are dependent on RC4 session keys.

** Bonus Material  **

Here is a quick query you can use to determine the msDS-SupportedEncryptionTypes attribute value for all accounts with a SPN set (i.e. Kerberos enabled service accounts).  msDS-SupportedEncryptionTypes is not a Global Catalog attribute by default so if you have a multi-domain forest you will need to run the query against a DC in each domain.  If you have a more eloquent query feel free to share it via a comment. 

get-aduser -filter {(objectclass -eq 'user')} -property servicePrincipalName,pwdLastSet,description,displayName,msDS-UserPasswordExpiryTimeComputed,userAccountControl,msDS-PrincipalName,msDS-SupportedEncryptionTypes,lastLogonTimestamp | where-Object {$PSItem.ServicePrincipalName -ne $null} | select-object servicePrincipalName,userPrincipalName,displayName,distinguishedName,description,pwdLastSet,msDS-UserPasswordExpiryTimeComputed,userAccountControl,msDS-PrincipalName,msDS-SupportedEncryptionTypes,lastLogonTimestamp | Export-Csv -Path .\SPNEncryptionData.csv -NoTypeInformation

Brilliant... this doc is great

KQL query if using Sentinel or some other log collector: 

SecurityEvent | where EventID in (4768, 4769) | where EventData contains '<Data Name="TicketEncryptionType">0x17</Data>' or EventData contains '<Data Name="TicketEncryptionType">0x18</Data>'

Great article, thank you. 

I'm troubleshooting the use of RC4. The account and device have msDS-SupportedEncryptionTypes values supporting AES. 

The KRBTG account does not have enabled AES. 

Would checking those boxes block the use of RC4 (not ready for that) or allow AES. Meaning, could something break from this, or am I allowing the use of newer encryption options in addition to the RC4. Would be grateful for any input. 

Hi @sintra3000  - Enabling AES on the KRBTGT account would not disable RC4 in your environment.  From my testing it does not appear the KDC references the msDS-SupportEncryptionTypes of the KRBTGT account when issuing TGTs.  If the account has a AES key (password reset since 2008) it will issue AES encrypted TGTs.  That behavior could depend on the DFL but I has not researched that.

If you are unable to acquire an AES service ticket for an account that has AES enabled in the msDS-SupportEncryptionTypes attribute I would first confirm the password on the account was not last set prior to the elimination of 2003 (and earlier) domain controllers.

Hi Jerry, 

Thank you your reply, that cleared some things up. I have verified that the account has a recent pwdLastSet. 

The cloud app security report still is reporting the account as using weak cipher. 

if your domain controllers are server 2019 or higher, it is not necessary to modify msDS-SupportedEncryptionTypes settings anywhere. as soon as RC4 is disabled on the domain controller (Network security: Configure encryption types allowed for Kerberos) no RC4 tickets will be issued, ever. it does not matter if the checkbox "this account supports aes 256...." checkboxes are set or not, and it does not matter if computer accounts have their bit flags updated or not.

here is a klist example in a hardenend domain (encryption types allowed for kerberos set to AES on domain controllers only), no checkbox set on service account, i.e. RC4 is enabled, AES is not enabled

still, we receive aes tickets only:

#1> Client: darr @ LAB.LOCAL
Server: MSSQLSvc/lab004s.lab.local:1433 @ LAB.LOCAL
KerbTicket Encryption Type: AES-256-CTS-HMAC-SHA1-96
Ticket Flags 0x40a10000 -> forwardable renewable pre_authent name_canonicalize
Start Time: 10/21/2021 18:52:09 (local)
End Time: 10/22/2021 4:52:09 (local)
Renew Time: 10/28/2021 18:52:09 (local)
Session Key Type: AES-256-CTS-HMAC-SHA1-96
Cache Flags: 0
Kdc Called: LAB001DC.lab.local

this is different in previous generations (server 2016, server 2012R2). we have verified this in multiple lab domains, customer domains and our own domain. this fact is also documented here: https://dev-2null.github.io/Kerberoasting-AES-Encryption-Protected-Users-Group-and-gMSA/

we also ran rubeus downgrade attacks against nonhardenend and hardened environments and confirm the same observation.

so in short, you do NOT need to worry about modifying service accounts or computer accounts to harden them against kerberos rc4. just harden the DC with the security setting provided above and all is fine.

may i also point out that this statement is incorrect:

"To date tickets encrypted with AES keys are not susceptible to Kerberoasting."

kerberos aes 256 tickets can be kerberoasted just fine with hashcat since march 2019

https://github.com/hashcat/hashcat/pull/1955

... it just takes a lot longer (about 750times when switching from RC4 to AES256)

@robertro-sit - Thanks for sharing your testing and research.  Many enterprises have pockets of legacy OSs (2003\XP) as well as old keytab files which were not created to support AES.  If RC4 support was removed from the DCs those devices would be impacted which is why I recommended leveraging audit logs to uncover and resolve RC4 use rather than completely disabling it at the domain level.  In environments without legacy dependencies you could certainly save considerable time by removing RC4 support from the DCs if the organization is willing to accept some risk of impact.

I was not aware that hashcat can support kerberoasting AES tickets.  I will edit my phrasing.  That bit of information highlights the importance of setting long and complex (non-guessible) passwords on service accounts in addition to enabling them for AES.  Too often that is not the case because service accounts have been made exempt from password changes and as a result the current passwords were set when the organization had much more lax password standards.  Personally I am fan of leveraging fine grained password policy to hold service accounts to a higher standard than the average user account.  Of cource the PSO would not be enforced until the service account passwords are cycled.

Your correct about server 2019 addressing the issue with ticket down grade attacks.  That improvement alone is great justification to get domain controllers up to 2019 (or 2022) as soon as possible.  If the DC upgrades cannot happen in the near term, Microsoft Defender for Identity is a good mitigation given it will alert you when such ticket ecryption downgrade are occurring.

It seems the "decoder ring" table contains some errors. For example, for value of 1 it says the encryptions is "DES_DES_CBC_CRC" (extra DES there), for value of 15 (0xF) "DES_CBC_MD5" appears twice (I assume one of them should be DES_CBC_CRC), etc..

Thanks Jerry, i am still watching this topic and the conversation. Its interesting observation from @robertro-sit . In summary, to identify the legacy RC4 traffic we leverage the Audit logs and once its clean the settings can be applied Network security: Configure encryption types allowed. 

Open question:

1. Should this settings be applied on DCs only or other computer objects as well (Servers & Computers)

2. Does a keytab file leveraging RC4 is identified or captured in the Auditlog 4768, 4769 some way?

Thanks

shajeer

Great catch Shnitzel! - I have made the table corrections. 

Shaz_Blog - Once logging confirms tickets are no longer issued with RC4 you will want to use the "Configure encryption types allowed" policy to remove RC4 support for all domain members and not just the domain controllers.  After a Windows device processes that policy it will dynamically update the msDS-SupportedEncryptionTypes attribute on its own computer account.

If the keytab file is only being used to consume a service ticket (no authentication back to the domain), the 4768/4769 events will be no help in identifying keytabs which only support RC4.  However, if the keytab is being used to acquire TGTs from the KDC, the Ticket Encryption Type field in the 4768 will reflect encryption type used to perform the pre-authentication rather than the encryption used for the TGT.  I know that might not seem right so here is an example from my lab. 

 I used the "Configure encryption types allowed" policy to only allow RC4 on a Windows 10 computer.  When Bob logged on, he received an AES encrypted TGT but because his device only supported RC4 during pre-authentication the session key for the TGT was RC4.  As you can see the 4768 showed the Ticket Encryption Type field logged RC4 (session key\pre-auth) rather than AES which was the encryption type of the TGT.  However, the 4769 actually reflected the encryption type of the Service Ticket rather than the session key encryption type.

Thanks again  @Jerry Devore .. Helpful.
In this whole excersice of eliminating RC4 from the environment, we are dealing with Computer Objects (via Policy), TDO update etc... There is this AD User objects also carrying the similar attribute (msDS-SupportedEncryptionTypes). By default a user object being created is having value <not set>, meaning that it could accept RC4 only. However, i see that tickets are getting generated on AES for those accounts. In the whole process of eliminating RC4, Is there any action to be done on the user objects?

Just logged in as rc4tester and i am getting tickets on AES when checked using klist.

Hi Shaz_Blog - The ticket encryption type (TGT and Service Tickets) will be determined by the account linked to the tickets so their selected ecryption type has no bearing on the configuration of the user account requesting the tickets.  The session key used with those tickets are determined by configuration of the device where the inital pre-authentication originated from along with the encryption type supported by the account associated with the ticket.  The KDC will issue the session keys based on the highest supported encryption type of those two.  The KDC does not factor in the msDS-SupportedEncryptionTypes of the account requesting the tickets.  In your example rc4tester logged on to a device that is capable of AES so the session keys it recieved were AES.

Bottom line:  You don't need to worry about the value of msDS-SupportedEncryptionTypes on user accounts that do not have a SPN.  If it would make your security team feel better if normal user accounts were configured for AES you could set a value on the attribute but it will not make any difference.

@Jerry Devore I've applied the "Configure encryption types allowed" policy to remove RC4 support for all the domain controllers. On the Domain Controllers container. 

Did Gpupdate /force, restarted and waited for days on end yet the msDS-SupportedEncryptionTypes wasn't updated on the DC computer account object. 

But when I did it on the Default Domain policy it worked.

Why do you suppose is the issue here and why wasn't it updated? 

(Tried on 2 different domains) Running Server 2016. Same thing happened for some reason.

Edit : Works now, comment can be deleted.

@Jerry Devore 

Congratulations on the content presented.

But I was left with a doubt, my goal at the company I work for is just to disable the DES encryption algorithm. (we have Windows XP machines - Windows Server 2003) so I can't disable RC4.

I pulled a report and identified 208 machines with msDS-SupportedEncryptionTypes attribute with value 0x1F(31)

performing a comparison with my station the value is 0x1C (28)

To disable only the DES algorithm, I suggest you create a GPO allowing only RC4, AES ?

thanks

Hi @GuilhermeFranklin 

Using a GPO to only allow RC4 (disable DES) on your legacy devices is a good strategy.  Once the devices have processed the GPO you will notice the msDS-SupportedEncryptionTypes attribute is automatically updated on the respective computer objects.  The policy setting for that GPO is "Network security: Configure encyrption types allowed for Kerberos" which you will find under Local Policies \ Security Options.

You should also confirm that DES has not been enabled on any user accounts in your domain.  A quick way to perform that check is to run Get-ADUser -Filter {UserAccountControl -band 0x200000} form a PowerShell prompt.  For more information on that step check out Remove the highly insecure DES encryption from User accounts (recommended) | Microsoft Learn

Jerry

Following on from the advice in KB5021131: How to manage the Kerberos protocol changes related to CVE-2022-37966 (microsoft.com) about the November 2022 Kerberos changes for RC4 and the "quick query" posted earlier, this is a method to find accounts with the DES-only account flag or RC4 encryption type set explicitly (remembering that, at present, RC4 is still the default type when msDS-SupportedEncryptionTypes is set to 0).

#query properties into array for convenience
$props = "servicePrincipalName","pwdLastSet","description","displayName","distinguishedName","msDS-UserPasswordExpiryTimeComputed","userAccountControl","msDS-PrincipalName","msDS-SupportedEncryptionTypes","lastLogonTimestamp"
# query only users with SPNs, and with either DES-only UAC flag or RC4 specified in encryptiontypes
get-aduser -filter 'sAMAccountType -eq 805306368 -and servicePrincipalName -like "*" -and (useraccountcontrol -band 0x200000 -or msDS-SupportedEncryptionTypes -band 0x4)' -properties $props | select-object $props

To break it down a bit:

• Rather than returning ALL user accounts and discarding the ones without an SPN in the Where clause , the servicePrincipalname -like "*" filter clause returns only accounts from LDAP with an SPN.
• useraccountcontrol -band 0x200000 filters for accounts with the "Use only Kerberos Des encryption types" flag
• msDS-SupportedEncryptionTypes -band 0x4 filters accounts that have RC4 specifically enabled. Since it's a bitwise filter, the query will find accounts with only RC4, or RC4 along with other encryption types.

This is the output from a test account with RC4, AES128 and AES256 encryption types enabled (this example account doesn't have an SPN, so I omitted the '-and servicePrincipalName -like "*"' filter clause).

servicePrincipalName : {}
pwdLastSet : 133124575903507250
description :
displayName : test crypt
distinguishedname : CN=test crypt,OU=Generic,DC=dev,DC=example,DC=com
msDS-UserPasswordExpiryTimeComputed : 133202335903507250
userAccountControl : 512
msDS-PrincipalName : DEV\test_crypt
msDS-SupportedEncryptionTypes : 28
lastLogonTimestamp :

Note that msDS-SupportedEncryptionTypes is 28 on the account, which indicates the AES128 and AES256 types as well as RC4 (refer to the table in the article). If we change the bitwise filter to msDS-SupportedEncryptionTypes -band 0x10 (for AES256), the same account will also be found.

Here is the list of bitwise values to query each encryption type (from Ldapwiki: MsDS-SupportedEncryptionTypes:(

0x01 - DES-CBC-CRC
0x02 - DES-CBC-MD5
0x04 - RC4-HMAC
0x08 - AES128-CTS-HMAC-SHA1-96
0x10 - AES256-CTS-HMAC-SHA1-96

If you want to search combos of these, such as accounts that have AES128 and AES256 enabled, the hex codes for those in the table in the main article will work too, in this instance -band 0x18 (this also finds my test account, which has both those encryption types enabled along with RC4).

The Nov 8 update added a new registry key DefaultDomainSupportedEncTypes to define what msDS-SupportedEncryptionType undefined now is, which is 0x27 which enables DES-CBC-CRC,DES-CBC-MD5,DES-CBC-MD5 plus something else, but does not enable AES128/256. This means those of us who hardened to set only AES128/256 via SupportedEncryptionTypes have broken trusts now.

Edit: I was wrong about that new bit, there was an errata which has added AES256-CTS-HMAC-SHA1-96-SK (assuming SK stands for session Keys). From the sounds of it there's a bug somewhere else

Hi guys. This is an excellent article and series of comments. I have a strange situation related to the msDS-SupportedEncryptionTypes attribute on the AD object of one of our Windows Servers joined to AD. I discovered through an audit that this sever had a value of 31. The desired value is 28. I changed it, but within half an hour it had changed back to 31. This happened multiple times. After I turned the server off this behavior stopped, which means it has to be something on the server itself that is changing it. Anyone have an idea on why this is happening? Thanks again!

Hi Morgan, 

Potentially your computer object settings are overwritten caused by the GPO. The msDS-SupportedEncryptionTypes attribute is impacted caused by the GPO.
https://learn.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/networ...

@Shaz_Blog Thanks but would not a GPO affect settings on the machine itself, typically in the registry? What I am seeing is a change on the AD attribute of the computer object. Is there a known case where a local setting on a computer would cause it to change this attribute on its AD computer object? Also, I have no GPOs that apply to this particular server that change the Network security: Configure encryption types allowed for Kerberos policy.

Yes, the GPO has an impact on the attribute of the Computer Object. @Jerry Devore has explained that in this article itself... My guess is still towards a GPO, perhaps a GPResult can tick that out.

We have  many user objects that have a 0 in it.

Also my user account - if i type "klist" i get as session and encryption type= AES-256-CTS-HMAC-SHA1-96

Do i have to act on these settings? Where may they come from? It seems like that these are the "older" AD objects.

Hi @StephanGee - The session key selection is determined by which encryption type was used during the initial authentication (KRB_AS_REQ) which depends on the client devices setting and not the value of the user account's msDS-SupportedEncryptionTypes.  The ticket's encryption type will be determine by the msDS-SupportedEncryptionTypes attribute for the account associated with the ticket (e.g. service account with a SPN set).  Keep in mind the session key needs to be compatible with the client device and the device being authenticated to using the ticket.  The ticket need to be compatible with the device consuming those tickets (the service you are accessing).  The accounts with SPNs set (i.e. service accounts) are the user accounts you want to focus on.

@Jerry Devore So as i understand. At the moment i do not have to act on the things and fill in a 28 or even 24 into it? I will have a look into our SPNs

Hi @Jerry Devore ,

thanks for this very helpful post and your participation in the comments sections. Maybe you or someone else can bring some light to me on the following situation.

We've patched one of our DC's (Server 2019) with the 2022 November Update including the OOB update provided. Since the original update of the DC's users in this site are facing issues accessing on old NetApp filestore. Users from others sites, with unpatched 2019 DC's, are not facing issues accessing the file shares.

Looking at the kerberos tickets issued, we noticed, all DC's except the patched one issue Keberos tickets for this service with a RSADSI RC4-HMAC(NT) session key, whereas the patched DC is always issuing AES-256-CTS-HMAC-SHA1-96.

We've looked at the different registry keys and AD attributes and all are the same for all DC's.

Not working Ticket (2019 DC patched including OOB)

#1> Client: XXX @ XXX
Server: cifs/XXX@ XXX
KerbTicket Encryption Type: RSADSI RC4-HMAC(NT)
Ticket Flags 0x40a10000 -> forwardable renewable pre_authent name_canonicalize
Start Time: 11/23/2022 2:41:54 (local)
End Time: 11/23/2022 12:40:57 (local)
Renew Time: 11/30/2022 2:40:57 (local)
Session Key Type: AES-256-CTS-HMAC-SHA1-96
Cache Flags: 0
Kdc Called: s001dc01.XXX

Working ticket (2019 DC unpatched)

#1> Client: XXX@ XXX
Server: cifs/XXX @ XXX
KerbTicket Encryption Type: RSADSI RC4-HMAC(NT)
Ticket Flags 0x40a10000 -> forwardable renewable pre_authent name_canonicalize
Start Time: 11/22/2022 19:36:37 (local)
End Time: 11/23/2022 5:33:52 (local)
Renew Time: 11/29/2022 19:33:52 (local)
Session Key Type: RSADSI RC4-HMAC(NT)
Cache Flags: 0
Kdc Called: s049dc05.xxx

 

Any idea where can have a look to bring the DC back to issuing RC4 sessions keys?

Thanks in advance for your help.

@FelixF we are troubleshooting an integration of NetApp with AD. After enabling AES encryption on NetApp (there is an article on how to do that), we noticed that TGT tickets are still encrypted with RC4 (we have 2016 DCs), but Service Tickets that NetApp is requesting are using AES encryption. Even after we set msDS-SupportedEncryptionTypes on krbtgt account to only support AES - it didn't have any impact.

According to the people managing NetApp, the article on NetApp page says "Even when AES encryption for Kerberos-based communication is enabled on vserver, Advertising the RC4 encryption type cannot be disabled". My guess is that by "advertising" the RC4 encryption type, they mean setting msDS-SupportedEncryptionTypes attribute on the computer object for NetApp storage. We have seen that after password reset, NetApp is writing msDS-SupportedEncryptionTypes attribute. We tried to manually change this attribute on the object, but it didn't help either.

In your case, please check that you have enabled AES encryption on NetApp storage. When you run the commands on NetApp, you need to have permissions to write password and msDS-SupportedEncryptionTypes attribute among others on the computer object for NetApp storage.
https://docs.netapp.com/us-en/ontap/smb-admin/enable-disable-aes-encryption-kerberos-task.html

If that config is already done, I'm curious what is the present value of msDS-SupportedEncryptionTypes attribute on the computer object for NetApp storage.

@FelixF  - The November update (11B.22) is causing the updated DCs to default to AES session keys.  In some cases you can resolve the issue by explictly setting RC4 in msDS-SupportedEncryptionTypes for the computer objects of the target (NetApp server in this case).  However,  the recommended approach would be to enable AES on the NetApp server as @RossUA mentioned.

@RossUA - " TGT tickets are still encrypted with RC4" - Are you seeing the ticket encryption reported as RC4 for the TGT or just the session key?  As you noticed setting msDS-SupportedEncryptionTypes for the KRBTGT account will not change the behavior for issued TGTs.  If you are seeing TGT tickets encrypted with RC4 the most likely explanatoin is that the KRBTGT account has not been reset since AES was supported by the domain (2008R2).

It would be unrestricted for Kerberos if the GPO for the "Network security: Configure encryption types allowed for Kerberos" policy is not defined.
Also, the msDS-SupportEncryptionTypes attribute for the KRBTGT not set(nothing).

Will the KRBTGT's encryption type remain the same as RC4 since we deployed the AD forest when it was Windows 2000 and raised the FL to the current? If so. What will happen to the KRBTGT's encryption with the following few months' patches since MS gradually changes to netlogon and Kerberos encryption? Will the patch change the encryption type to AES?

Thank you @Jerry Devore and  @RossUA . Your help is much appriciated. 

After changing msDS-SupportedEncryptionTypes to 0x4 (RC4_HMAC_MD5) , we're able to access the NetApp again. The session key now is RC4.

Thank you for your help, we'll check how to get rid of this configuration by either getting rid of the old NetApp or changing configuration of the NetApp to AES if possible.

@Jerry Devore we are only observing RC4 used for TGT tickets obtained by NetApp storage. It is reported in the event 4768 as Ticket Encryption Type 0x17. The vast majority of other computer and user accounts are using AES encryption for TGT tickets for a long time already. And we have changed the password for krbtgt several times during last 5 years.

Can you confirm if my understanding is correct. If the goal is to prevent Kerberoasting attack, then RC4 encryption in TGT is not a problem, since it is TGS ticket which is being attacked. And as long as all sensitive accounts with SPNs are configured with msDS-SupportedEncryptionTypes that only allows AES encryption and strong password, kerberoasting attack should not be successful. Does it make sense?

I have noticed that when I run the script I get a report that 8 accounts do not have the msDS-SupportedEncryptionTypes set. However, when I manually spot check, NONE of the user accounts have this field set. How should I interpret this?

Hi @RossUA - The Ticket Encryption Type reported in 4768 events is a bit misleading.  Through lab testing I have found that the field reflects the either the session key or the authenticator type used to acquire the TGT.  When you see 0x17 for a 4768 it does not mean the ticket itself was encrypted with RC4.  A 4769 (Service Ticket) will however correctly report the ticket encryption in the Ticket Encryption Type field.

Kerberoasting is targeted at Service Tickets but if the TGTs were issued with RC4 encryption and the KRBTGT account had a weak password TGTs would in theory be susceptible to the same attack.  Fortunately, the automatically generated passwords for KRBTGT are very strong and as long as the KRBTGT account has an AES key the KDC will issue TGT with AES.

Hi @MDZCOB - The script I posted (Comment on April 29 2021) is only looking for user accounts with SPNs set.  When you did your spot check were you looking at SPN enabled account or any user accounts.  The msDS-SupportedEncryptionTypes value for user accounts without a SPN does not matter given those user accounts do not "consume" service tickets and session key encryption type is determined by the configuration of the device and not the user account.

Hi All - Looking for some suggestions after the November 2022 changes to the KDC service.  Unfortunately I still have the need for some XP machines to function on our domain. I understand that the KDC service has logic to look at the operating system attributes and won't issue RC4 session keys to pre 2008 devices even when the msds-supportedencryptiontypes value is 4. A hack I found is to clear the XP OS attribute on the computer object. This allows the KDC to issue an RC4 session key for the XP service.

The last roadblock that I have is joining or rejoining a pre 2008 device to the domain.  Would anyone have any creative suggestions for the initial join to work?

MAybe the Part about "Support for AES ticket encryption was introduced with the release of Server 2008 / Windows 7 but it was not automatically enabled on domain accounts in order to ensure backward compatibility." should be rewritten with the NOV2022 Security updates, where AES is now the new default.

Hi,

What about user accounts with no password expiration? It's supposed that we have many accounts of that type that were created before we rotated the krbtgt password, so they still don't have AES keys generated. I think those accounts will fail once the patches are deployed. We can't easily change the password for that many accounts.

On the other hand, will Windows Server 2003 and Windows XP systems fail once the patches are deployed?

Thank you.

Running "klist" on my machine, I can see 2 (TGT?) tickets with the following information: Server: krbtgt/DOMAIN.COM @ DOMAIN.COM and KerbTicket Encryption Type: RSADSI RC4-HMAC(NT).

I understand that RC4 is deprecated, and all my other tickets are listed with AES256. The use of RC4-HMAC raises concerns for me, especially considering that Microsoft plans to turn off support for deprecated encryption with the July patch.

Is it because the krbtgt AD account has not been reset? Is there a risk associated with applying the July patch before resetting the krbtgt AD account?

First off all, great article! Thanks!

I'm actually convinced that the last row of Supported Encryption Types, 31 (0x1F), has an (Excel range?) typo. 

It should be: DES_CBC_CRC, DES_CBC_MD5, RC4-HMAC, AES128-CTS-HMAC-SHA1-96, AES256-CTS-HMAC-SHA1-96

or perhaps somewhat shorter: DES_CBC_CRC, DES_CBC_MD5, RC4, AES128, AES256

For a few years now I've seen many scripts passing by using your Supported Encryption Type list, and all of them copy-pasted the exact same descriptions, including the typo which is actually funny though ;)

Also, slightly off-topic, the https://docs.microsoft.com/en-us/archive/blogs/petergu/interpreting-the-supportedencryptiontypes-reg... link is out-dated. Perhaps you should use the following link: [MS-KILE]: Supported Encryption Types Bit Flags | Microsoft Learn

@azuser  - 

When the account you are using is enabled for delegation you will see two TGTs in your cache.  One will be your Primary TGT and the other will be marked as Forwardable.  Microsoft recommends that you check the “Account is sensitive and cannot be delegated” box for privileged accounts in order to prevent exposing a reusable copy of a TGT to a remote device.

Active Directory does not store the clear text password for any account by default.  That is why accounts which have not changed passwords since 2008R2 cannot have AES256 keys automatically generated after the domain has been upgraded to support AES.  The KRBTGT password does not rotate automatically  It is possible yours lacks AES keys.  This post provides some good details on performing that reset - https://techcommunity.microsoft.com/t5/core-infrastructure-and-security/faqs-from-the-field-on-krbtg...

BTW – The July changes will not remove support for RC4 with Active Directory but the November update did change how the encryption type of session keys are selected.  The 5840 Event ID (The Netlogon service created a secure channel with a client with RC4) will warn you if RC4 is used with Netlogon secure channels to domain controller but those connections will not be blocked once the Netlogon changes are in enforcement mode.

@fedayn1 - 

The AES key derived for a user account are independent of the KRBTGT account.  It is ultimately dependent on what the domain controllers supported when the account password was last changed.

2003 and XP systems will continue to work given RC4 support is not going away (including for Netlogon Secure Channel connections as mentioned above).  However, you do have to factor in how the November 2022 update changed the defaults for session key encryption type.  Session key encryption for service tickets to Windows devices is now determined by the encryption type supported by the device used to request the service ticket.  As a result, you can end up with a service ticket for a 2003 \ XP device that is encrypted RC4 but the session key for the ticket is AES.  If that happens authentication will fail.  For example, a Windows 10 device will by default receive a AES session key with a service ticket for a 2003 server because it is capable of negotiating AES during the initial AS-REQ.

@San1978 - Great catch on the table.  The post has been up for nearly 3 years and nobody else has pointed that out.  I also upated the URL per your recommendation.

Wow! Just now, rereading the post and all the comments, besides some other misunderstandings, the following became clear to me. The November update 2022 has no affect on the encryption type of service tickets. It only affects session keys.... and here I was wondering why my IIS running as a service user (with empty msDS-SupportedEncryptionTypes value) was showing up as RC4 in klist.... are you aware of any plans on forcing AES for service tickets as well?

@David_Trevor  - The changes from Nov 22 (and Dec 22) where rough for organizations with legacy devices.  You are correct that it changed the logic for session key selection but not for the ticket encryption type.  I found many customers are tempted to configure msDS-SupportedEncryptionTypes on regular user accounts but that has no impact on the selection of the session key for keys aquired by the user.

To my knowledge there is no plan to change the ticket encryption logic to make AES is the default when msDS-SupportedEncryptionTypes is blank.  Changing that logic would be a bigger impact than change to session key selection.

Great information in the article and the comments; great to know there are such complete references out there.

    One question @Jerry Devore , we are trying to update all the supported ciphers on our internal domain and want to know which should come first, Remove the RC4 ciphers 1st, or set the msDS-SupportedEncryptionType value to AES only 1st?