Certipy
Certipy copied to clipboard
ly4k
ESC4 EKU KDC_ERR_INCONSISTENT_KEY_PURPOSE
Hi, I have an ESC4 that I downgrade using certipy4 template options. After the request , when i use the auth option i get this error : "Got error while trying to request TGT: Kerberos SessionError: KDC_ERR_INCONSISTENT_KEY_PURPOSE(Certificate cannot be used for PKINIT client authentication)" Is having ESC4 enough to patch the EKU ?
Before the template change, the EKU was: Extended Key Usage : Server Authentication
After the template change, the EKU is not there Extended Key Usage if gone from the template.
Thanks.
Not sure whats going on , I revert it and change the following properties manually using https://github.com/fortalice/modifyCertTemplate
pKIExtendedKeyUsage: Client Authentication, Server Authentication msPKI-Certificate-Application-Policy: Client Authentication, Server Authentication
but i still have the same error. : KDC_ERR_INCONSISTENT_KEY_PURPOSE(Certificate cannot be used for PKINIT client authentication)"
So I was able to get this attack to work by using modifyCertTemplate and waiting like 5 minutes-ish (1x CA environment). I also modified the pKIExtendedKeyUsage and msPKI-Certificate-Application-Policy to be identical. You could also just try implementing the Any Purpose EKU instead of Client Authentication to cover more oddities.
Even for reverting the changes, I noticed there was a time delay. This is all anecdotal evidence, but resolved my issue here
So I was able to get this attack to work by using modifyCertTemplate and waiting like 5 minutes-ish (1x CA environment). I also modified the
pKIExtendedKeyUsageandmsPKI-Certificate-Application-Policyto be identical. You could also just try implementing theAny PurposeEKU instead ofClient Authenticationto cover more oddities.Even for reverting the changes, I noticed there was a time delay. This is all anecdotal evidence, but resolved my issue here
Could you please solve this error through the above method: KDC_ERR_INCONSISTENT_KEY_PURPOSE, looking forward to your reply
