-
Titolo
Kerberos not working in target domain after password migration/synchronization -
Descrizione
After an account is migrated to the target domain with password migration, the target account cannot do Kerberos authentication in the target domain when RC4 is disabled in the target domain. RC4 is enabled in the target domain globally, but disabled on specific OU, where workstations are migrated to.
With RC4 turned on: Client is sending over TGS-REQ with 5 supported etype items:
- eTYPE-AES256-CTS-HMAC-SHA1-96 (18)
- eTYPE-AES128-CTS-HMAC-SHA1-96 (17)
- eTYPE-ARCFOUR-HMAC-MD5 (23)
- eTYPE-ARCFOUR-HMAC-MD5-56 (24)
- eTYPE-ARCFOUR-HMAC-OLD-EXP (-135)
DC is responding with TGS-REP with the highest one selected: eTYPE-AES256-CTS-HMAC-SHA1-96 (18) Kerberos is done through AES256.
With RC4 turned off on OU, there are two scenarios:
1. For accounts created new in the current domain: Client is sending over TGS-REQ with 2 supported etype items:- eTYPE-AES256-CTS-HMAC-SHA1-96 (18)
- eTYPE-AES128-CTS-HMAC-SHA1-96 (17)
DC is responding with TGS-REP with the highest one selected: eTYPE-AES256-CTS-HMAC-SHA1-96 (18) Kerberos is done through AES256.
2. For accounts that are migrated from the source domain:
Client is sending over TGS-REQ with 3 supported etype items:- eTYPE-AES256-CTS-HMAC-SHA1-96 (18)
- eTYPE-AES128-CTS-HMAC-SHA1-96 (17)
- eTYPE-DES-CBC-MD5 (3)
DC is responding with KRB Error: KRB5KDC_ERR_ETYPE
Accesso richiesto
Per visualizzare gli articoli della Knowledge Base di livello avanzato, è necessario aver effettuato l'accesso e disporre di un contratto di manutenzione in essere.