Windows 10: Generate kerberos ticket with secure32.dll fails after disabling RC4_HMAC_MD5

Hi all,We use the secure32.dll to generate a kerberos ticket on a windows 2019 Server.After disabling the RC4 security advisory 2868725 the InitializeSecurityContext fails with error 2146892990How to work around this ?Any help is highly appreciated.TIA Dan

:)

 

Check for Valid Kerberos Ticket

Hello everyone,

I'm looking to be able to generate a command klist to check and see if a kerberos ticket is valid.

If the ticket is valid return 1 if a ticket is invalid return something a 0.

We are moving from Linux to Windows for this process but I have yet to find any documentation regarding how you would do this.

I would believe that a sample or model would be everywhere.

Regardless does anyone have some suggestions on getting this accomplished.

Regards,

Jonathan

 

Question about ciphers used in Kerberos ticket

Hi,

From time to time I would see monitoring system alerting on requests using RC4 cipher in Kerberos ticket:

Client server (client1) : Windows 2008 R2

Domain controller (dc1) : Windows 2016

Following is a sample capture from the monitoring system:

client : *** Email address is removed for privacy ***

dest_server: dc1

dest_port: 88

auth_ticket_cipher : aes256-cts-hmac-sha1-96

auth_ticket_ciphertext - xxxxxx

request_type : TGS

new_ticket_cipher: rc4-hmac

new_ticket_ciphertext: xxxxxxx

I'm wondering what determines the encryption cipher to to be used in a Kerberos ticket request? I've heard about Kerberoasting so I would like to know how to identify if such a request is normal or not, thanks.

Regards,

 

Kerberos Known Issue introduced with KB5007206 has incorrect public information

The November 2021 Known Issue "Authentication might fail on DCs with certain Kerberos delegation scenarios" introduced via Windows Updates states that "Kerberos delegation scenarios where a Kerberos client provides the front-end service with an evidence ticket are not impacted.", but this is false. I've just tested with Wireshark and klist, and I do see the front-end HTTP ticket there (it is not an S4U2Self ticket), and the KRB_AP_ERR_MODIFIED is still thrown. In short: this Known Issue breaks any Kerberos constrained delegation scenarios.

Has anyone else experienced this?