Windows Event Forwarding Transport Encryption with Kerberos?
Hello out there, I would like to use Windows Event Forwarding, but I have a requirement that the traffic between Windows Event Collector and the endpoints should be encrypted. On Microsoft web pages I find contradictory statements about this, whether transport encryption exists for this. On one side they say that the connection is encrypted by Kerberos (probably by WinRM) (https://learn.microsoft.com/en-us/windows/security/threat-protection/use-windows-event-forwarding-to-assist-in-intrusion-detection#are-wef-events-encrypted-i-see-an-httphttps-option) and on the other side it is better to use IPSec or certificates to secure the transport of the log data. Kerberos I had always understood as an authentication protocol and not as a transport encryption protocol (at least not primarily). My question: Does Kerberos encrypt the log data between the Windows Event Collector and the endpoints or only the authentication information of Kerberos?Kerberos issue badoption on double hop
Hi all, We have an issue with client authentication using Kerberos in a 3 tier environment against a MS-SQL cluster via a WebService server (no IIS or PHP). I have looked at the behavior with netmon and fiddler. When calling the web application from the web service server, negotiation using Kerberos succeeds. If I try the same from a client, I see a valid ticket issued from KDC1 (Domain Controller 1) to the client. At the same time the WebService server gets a bad ticket with badoption 0xc from KDC2 (Domain Controller 2) in response. Basically it looks like a missing SPN. However, I have already checked this with Microsoft's SQL Configuration Manager - no errors. Does anyone have any idea?NTLM authentication failed because the account was a member of the Protected User group
Hi everyone, we have two domains (A and B), each has its own forest and two domain controllers. There is a trust between domains. Each admin has two Domain Admins account in each domain (like A\Admin and B\Admin). Domain A has a PAW, where the admins are logging on with A\Admin and managing both domains (A\Admin was delegated some rights in domain B). But sometimes the admins have to connect (via RDP) to some servers in B domain using B\Admin account. If an admin connects from his own computer (Windows 10) - it fails because of NTLM authentication, which is not allowed for the members of the Protected Users group. Then the admins connect from PAW and it works. In the logs I see another type of the Authentication - Kerberos! Questions: - why the NTLS is used connecting from Windows 10 and Kerberos from WS 2016 (not from all servers, but from PAW only)? - how to enable Kerberos authentication on Windows 10 to be able to connect to a server in another Domain using credentials of this domain? I've already set a policy "Send NTLMv2 response only, refuse LM and NTLM" - didn't help. To better understand my issue I drew a picture of infrastructure: Thank you in advance!
