Active Directory – The Kerberos client received a KRB_AP_ERR_MODIFIED error – RC4 hardening misconfiguration

Posted on Updated on by Christoffer Klarskov JakobsenCategories:Active Directory

Intro

I was working together with Microsoft support on a customers Active Directory, where users was unable to authenticate towards DFS namespaces, applications and SQL server services within the domain. the domain span across 5 domain controllers throughout the world.

the customer first saw the issue then introducing new domain controllers to the domain, where they moved all FSMO roles to the new domain controllers and decommissioned the old domain controllers. Only 2 of the 5 domain controllers was replaced.

Most of the troubleshooting we did is not relevant for the fix, so I will jump ahead.

The issue

In the System event log on the primary domain controller, we saw the event ID 4 “The Kerberos client received a KRB_AP_ERR_MODIFIED error”.

The customer have had another company implement Active Directory Hardening configuration in the past. The customer did not have any documentation from the other company about what or how these hardenings was implemented.

Using the command klist in CMD on a client device with the issue, we could see the RC4 issued ticket:

We could open secpol.msc on a member server in the domain and see that allowed Kerberos entryption protocols was modified to allow AES and future protocols (Security Settings > Local Policies > Security Options > Network Security – Configure encryption types allowed for Kerberos)

We did not find any group policy object that targeted the domain controllers with the same setting. However we could see that the old domain controllers have had this hardening done locally in secpol.msc but the newer domain controllers had not since it was not implemented via group policy.

the setting in secpol.msc (or the equivalent in GPO), modifies this record in REGEDIT:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\Kerberos\Parameters

  • Additional Information: Ticket Encryption Type. This is the encryption type to KDC selected for the Service Ticket. If the target account does not have a value for MSDS-SupportedEncryptionTypes the encryption type will default to RC4.

this means that if the computer or user object in Active Directory does not have any value in the MSDS-SupportedEncryptionTypes, it will default to RC4. That is why it is very important to create a group policy object that targets all computer object in the domain as well, that select the AES encryption protocols.

The solution

We simply added the same protocol selection to a group policy object and targeted all the Domain Controllers OU (And verified that a GPO with the same setting that targets all computer objects was already implemented). After running the command GPUpdate /force in CMD and restart of the KDC service (Key Distribution Center) on each of the new domain controllers, and running the command klist purge in CMD on client devices, we could see users been able to authenticate again.

Christoffer Klarskov Jakobsen

Comments

Leave a Reply

Your email address will not be published. Required fields are marked *