-
标题
Kerberos not working in target domain after password migration/synchronization -
说明
After an account is migrated to the target domain with password migration, the target account cannot do Kerberos authentication in the target domain when RC4 is disabled in the target domain. RC4 is enabled in the target domain globally, but disabled on specific OU, where workstations are migrated to.
With RC4 turned on: Client is sending over TGS-REQ with 5 supported etype items:
- eTYPE-AES256-CTS-HMAC-SHA1-96 (18)
- eTYPE-AES128-CTS-HMAC-SHA1-96 (17)
- eTYPE-ARCFOUR-HMAC-MD5 (23)
- eTYPE-ARCFOUR-HMAC-MD5-56 (24)
- eTYPE-ARCFOUR-HMAC-OLD-EXP (-135)
DC is responding with TGS-REP with the highest one selected: eTYPE-AES256-CTS-HMAC-SHA1-96 (18) Kerberos is done through AES256.
With RC4 turned off on OU, there are two scenarios:
1. For accounts created new in the current domain: Client is sending over TGS-REQ with 2 supported etype items:- eTYPE-AES256-CTS-HMAC-SHA1-96 (18)
- eTYPE-AES128-CTS-HMAC-SHA1-96 (17)
DC is responding with TGS-REP with the highest one selected: eTYPE-AES256-CTS-HMAC-SHA1-96 (18) Kerberos is done through AES256.
2. For accounts that are migrated from the source domain:
Client is sending over TGS-REQ with 3 supported etype items:- eTYPE-AES256-CTS-HMAC-SHA1-96 (18)
- eTYPE-AES128-CTS-HMAC-SHA1-96 (17)
- eTYPE-DES-CBC-MD5 (3)
DC is responding with KRB Error: KRB5KDC_ERR_ETYPE