Kerberos encryption and relation to repadmin

  • 50 Views
  • Last Post 1 weeks ago
MatCollins posted this 2 weeks ago

hello everybody,

in one of the child domains, I restricted kerberos encrytion to AES and future encryption (Disabled RC4 , ..). the domain controllers inside that domain replicated properly using repadmin.

however, at parent domain where RC4 is not disabled, it is not possible to replicate data. So fair enough. but I have some questions:

  • How does this ecryption type is selected? when? I mean after a restart an encryption type is selected and then the rest of communication is based on this?
  • why parent domain does not switch to AES. (beacause AES is enabled both at child and parent, and RC4 is only disabled at child.) why they dont agree on AES?
  • this encryption, exactly encrypts what data? the kerberos tickets itself or transmission of tickets?

thank you. :)

Order By: Standard | Newest | Votes
GuyTe posted this 1 weeks ago

Do you have AES explicitly enabled on the trust?

 



 

Guy

 

show

MatCollins posted this 1 weeks ago

Do you have AES explicitly enabled on the trust?

 Havent done that but allow me to double check that tommorow. In the meantime, what about the questions? any idea?



 

Guy

 

show


From: ActiveDir-owner@xxxxxxxxxxxxxxxx [mailto:ActiveDir-owner@xxxxxxxxxxxxxxxx]

On Behalf Of matcollins66@xxxxxxxxxxxxxxxx


Sent: Monday, 9 October 2017 10:08


To: activedir@xxxxxxxxxxxxxxxx


Subject: [ActiveDir] Kerberos encryption and relation to repadmin

 



hello everybody,

in one of the child domains, I restricted kerberos encrytion to AES and future encryption (Disabled RC4 , ..). the domain controllers inside that domain replicated properly using repadmin.

however, at parent domain where RC4 is not disabled, it is not possible to replicate data. So fair enough. but I have some questions:





  • How does this ecryption type is selected? when? I mean after a restart an encryption type is selected and then the rest of communication is based on this?


  • why parent domain does not switch to AES. (beacause AES is enabled both at child and parent, and RC4 is only disabled at child.) why they dont agree on AES?


  • this encryption, exactly encrypts what data? the kerberos tickets itself or transmission of tickets?



thank you. :)

------------------------------------------------------------------------------------

This message was posted over our web site



http://www.activedir.org/thread/kerberos-encryption-and-relation-to-repadmin/


You can still reply to this thread by email and also over the web site.

Tip: You can mark this post as the 'solution' if so desired using the above link.



Forum info: http://www.activedir.org Problems unsubscribing? Email

admin@xxxxxxxxxxxxxxxx

GuyTe posted this 1 weeks ago

I have not verified this using network traces, but this is where this is supposed to downgrade you to RC4:

 

From

https://technet.microsoft.com/en-us/library/cc772815(v=ws.10).aspx#w2k3trkerbhowpzvx:



(scroll down to “Cross-Realm Authentication Between Two Realms”)

 

When a user with an account in West wants access to a server with an account in East, the process is:





  1. The Kerberos client on the user's workstation sends a request for a service ticket to the ticket-granting service in the user account's realm, West.


  2. The ticket-granting service in West determines that the desired server is not a security principal in its realm, so it replies by sending the client a

    referral ticket—a TGT encrypted with the

    inter-realm key that the KDC in West shares with the KDC in East.

    ç

    this is where you are downgraded to RC4, as the TDO is treated as if it does not support AES encryption unless the checkbox I mentioned earlier is checked resulting in RC4-based

    inter-realm keys being selected and referral TGT being encrypted using RC4.


  3. The client uses the referral ticket to prepare a second request for a service ticket, and this time sends the request to the ticket-granting service in the server account's realm, East.


  4. The ticket-granting service in East uses its copy of the inter-realm key to decrypt the referral ticket. If decryption is successful, it sends the client a service ticket to the desired server

    in its domain.


Guy

 

 

 

show

Close