Please consider the Ticket Encryption Type field in the DC event logs instead of the msDS-SupportedEncryptionTypes attribute of an AD member

[sebma]

Hi, on a Linux CentOS7 AD member, I have forbidden weak_crypto algorithms :

$ grep -B1 allow_weak_crypto /etc/krb5.conf
[libdefaults]
 allow_weak_crypto = false

On the DC, I have seen the authentication in the eventlog and the encryption type used is 0x12 (18) which corresponds to AES256-CTS-HMAC-SHA1-96 specified in the rfc3962 section 7 :

Still PingCastle is accounting my server as a "DES enabled account" :

PingCastle seems to infer this information based upon the msDS-SupportedEncryptionTypes attribute that lists all the encryption algorithms our CentOS 7.9 Linux supports, which actually is 0x1F : DES+A1:C33_CBC_MD5, DES_CBC_MD5, RC4, AES 128, AES 256.

But that does NOT mean that my Linux is not actually "speaking" AES with the DC.

Do I have to set this msDS-SupportedEncryptionTypes attribute for all CentOS7 servers after they have joined the AD or is there another way ?

[An-dir]

I would NOT change this. Because eventlog may not have any data when the accounts aren't being used at that moment. In some environments eventlog only lasts for some minutes to hours because there are too many entries, or the logs are being collected.

Another fact is the ability to downgrade to a weaker algorithm. Some attacks may be able to force you to use the weaker one and therefore the ability to use weaker protocols needs to be tested.

In addition to the current msDS-SupportedEncryptionTypes attribute check in PingCastle I use https://github.com/takondo/11Bchecker/blob/main/Check-11Bissues.ps1 Maybe some details of this checker will come in future to PingCastle in the future, but for now the way PingCastle does the check is common and should not be changed, but may be extended.

[vletoux]

Not an issue. You are talking about the client side here. The issue is to request a DES kerberos ticket at the DC - the server side.