Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Question
Friday, March 24, 2017 3:23 PM
We've created a one-way trust between a new Windows 2016 domain and an existing 2012R2 domain. (users that exist in the 2012R2 domain can log into resources in the 2016 domain).
My issue is when I run klist (on a client on the 2012R2 domain) I see that the krbtgt ticket is RSADSI RC4-HMAC(NT), which we don't feel is satisfactory. All other tickets for things in the 2012R2 domain are AES-256-CTS-HMAC-SHA1-96.
I would appreciate any insight into how to configure the trust such that the krbtgt uses the more robust encryption type (i've looked all morning and cannot find it).
Thanks much.
All replies (6)
Monday, March 27, 2017 7:51 AM
Hi,
Please check ‘DefaultEncryptionType’ HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Parameters
If the Parameters key is not listed under Kerberos, you could create the key.
Entry: DefaultEncryptionType
Type: REG_DWORD
This value indicates the default encryption type for pre-authentication. i.e.
0x17 (hex) or 23 (decimal) is KERB_ETYPE_RC4_HMAC_NT
0x18 (hex) or 24 (decimal) is KERB_ETYPE_AES256_CTS_HMAC_SHA1_96
Best Regards
Cartman
Please remember to mark the replies as an answers if they help. If you have feedback for TechNet Subscriber Support, contact [email protected]
Monday, March 27, 2017 3:40 PM
This should be set where? On the client? On the DC?
Thanks
Blake
Tuesday, March 28, 2017 1:37 AM
Hi,
Typically,client side.
Best Regards
Cartman
Please remember to mark the replies as an answers if they help. If you have feedback for TechNet Subscriber Support, contact [email protected]
Tuesday, March 28, 2017 7:44 PM
Unfortunately that didn't help. As part of related testing I've setup a trust between 2 2016 domains and see the same behavior.
1> Client: blake @ SHENANDOAH.XXXXXXXXXX
Server: krbtgt/EDGE.XXXXXXXXX @ SHENANDOAH.XXXXXXXXXXX
KerbTicket Encryption Type: RSADSI RC4-HMAC(NT)
Ticket Flags 0x40a50000 -> forwardable renewable pre_authent ok_as_delegate name_canonicalize
Start Time: 3/28/2017 15:36:51 (local)
End Time: 3/29/2017 1:36:51 (local)
Renew Time: 4/4/2017 15:36:51 (local)
Session Key Type: RSADSI RC4-HMAC(NT)
Cache Flags: 0
Kdc Called: PINNACLE
Thursday, March 30, 2017 5:44 PM
I was able to make some progress on this (for my test setup anyway) by setting the valid Kerberos values in GP for both domains
Friday, March 31, 2017 2:07 AM
Hi,
Thank you for sharing to us.
Best Regards
Cartman
Please remember to mark the replies as an answers if they help. If you have feedback for TechNet Subscriber Support, contact [email protected]