___ Generates And Issues Session Keys In Kerberos
___ Generates And Issues Session Keys In Kerberos 3,8/5 6870 reviews

Kerberos can use a variety of cipher algorithms to protect data. AKerberos encryption type (also known as an enctype) is aspecific combination of a cipher algorithm with an integrity algorithmto provide both confidentiality and integrity to data.

The salt is a public piece of data which acts as a variation to the KDF; this is equivalent to saying that there are many distinct KDF, and the salt says which one you use.In your scenario, you do not have the first protection: the resulting public key is, by nature, public, and thus can serve for offline dictionary attacks. Parallelism is about attacking N passwords (not necessarily simultaneously) for less than N times the cost of attacking one (precomputed tables are a kind of parallelism). C# rsa public key.

Oct 05, 2018  It finally issues a Ticket-Granting Ticket, generates and shares Ticket-Granting Session Key with the User. The Authentication Server responds to the User’s request with two messages. Sep 28, 2004  The KDC will generate the session key5 and distribute it to both entities. After the KDC has generated the session key, it must communicate it to both Alice and the resource server. To secure the transport of the session key to a particular entity, Kerberos encrypts it with the master key of.

Enctypes in requests¶

Clients make two types of requests (KDC-REQ) to the KDC: AS-REQs andTGS-REQs. The client uses the AS-REQ to obtain initial tickets(typically a Ticket-Granting Ticket (TGT)), and uses the TGS-REQ toobtain service tickets.

The KDC uses three different keys when issuing a ticket to a client:

  • The long-term key of the service: the KDC uses this to encrypt theactual service ticket. The KDC only uses the first long-term key inthe most recent kvno for this purpose.
  • The session key: the KDC randomly chooses this key and places onecopy inside the ticket and the other copy inside the encrypted partof the reply.
  • The reply-encrypting key: the KDC uses this to encrypt the reply itsends to the client. For AS replies, this is a long-term key of theclient principal. For TGS replies, this is either the session key of theauthenticating ticket, or a subsession key.

Each of these keys is of a specific enctype.

Each request type allows the client to submit a list of enctypes thatit is willing to accept. For the AS-REQ, this list affects both thesession key selection and the reply-encrypting key selection. For theTGS-REQ, this list only affects the session key selection.

Session key selection¶

The KDC chooses the session key enctype by taking the intersection ofits permitted_enctypes list, the list of long-term keys for themost recent kvno of the service, and the client’s requested list ofenctypes.

Starting in krb5-1.11, it is possible to set a string attribute on aservice principal to control what session key enctypes the KDC mayissue for service tickets for that principal. See set_stringin kadmin for details.

Choosing enctypes for a service¶

Generally, a service should have a key of the strongestenctype that both it and the KDC support. If the KDC is running arelease earlier than krb5-1.11, it is also useful to generate anadditional key for each enctype that the service can support. The KDCwill only use the first key in the list of long-term keys for encryptingthe service ticket, but the additional long-term keys indicate theother enctypes that the service supports.

As noted above, starting with release krb5-1.11, there are additionalconfiguration settings that control session key enctype selectionindependently of the set of long-term keys that the KDC has stored fora service principal.

Configuration variables¶

The following [libdefaults] settings in krb5.conf willaffect how enctypes are chosen.

allow_weak_crypto
defaults to false starting with krb5-1.8. When false, removesweak enctypes from permitted_enctypes,default_tkt_enctypes, and default_tgs_enctypes. Do notset this to true unless the use of weak enctypes is anacceptable risk for your environment and the weak enctypes arerequired for backward compatibility.
permitted_enctypes
controls the set of enctypes that a service will permit forsession keys and for ticket and authenticator encryption. The KDCand other programs that access the Kerberos database will ignorekeys of non-permitted enctypes. Starting in release 1.18, thissetting also acts as the default for default_tkt_enctypes anddefaut_tgs_enctypes.
default_tkt_enctypes
controls the default set of enctypes that the Kerberos clientlibrary requests when making an AS-REQ. Do not set this unlessrequired for specific backward compatibility purposes; stalevalues of this setting can prevent clients from taking advantageof new stronger enctypes when the libraries are upgraded.
default_tgs_enctypes
controls the default set of enctypes that the Kerberos clientlibrary requests when making a TGS-REQ. Do not set this unlessrequired for specific backward compatibility purposes; stalevalues of this setting can prevent clients from taking advantageof new stronger enctypes when the libraries are upgraded.

The following per-realm setting in kdc.conf affects thegeneration of long-term keys.

supported_enctypes
controls the default set of enctype-salttype pairs that kadmindwill use for generating long-term keys, either randomly or frompasswords

Enctype compatibility¶

See Encryption types for additional information about enctypes.

enctypeweak?krb5Windows
des-cbc-crcweak<1.18>=2000
des-cbc-md4weak<1.18?
des-cbc-md5weak<1.18>=2000
des3-cbc-sha1>=1.1none
arcfour-hmac>=1.3>=2000
arcfour-hmac-expweak>=1.3>=2000
aes128-cts-hmac-sha1-96>=1.3>=Vista
aes256-cts-hmac-sha1-96>=1.3>=Vista
aes128-cts-hmac-sha256-128>=1.15none
aes256-cts-hmac-sha384-192>=1.15none
camellia128-cts-cmac>=1.9none
camellia256-cts-cmac>=1.9none

krb5 releases 1.18 and later do not support single-DES. krb5 releases1.8 and later disable the single-DES enctypes by default. MicrosoftWindows releases Windows 7 and later disable single-DES enctypes bydefault.

-->

Applies to

  • Windows 10
  • Windows Server 2016

Subcategory:Audit Kerberos Authentication Service

Event Description:

This event generates every time Key Distribution Center issues a Kerberos Ticket Granting Ticket (TGT).

This event generates only on domain controllers.

__ generates and issues session keys in kerberos windows 10

If TGT issue fails then you will see Failure event with Result Code field not equal to “0x0”.

This event doesn't generate for Result Codes: 0x10, 0x17 and 0x18. Event “4771: Kerberos pre-authentication failed.” generates instead.

Note For recommendations, see Security Monitoring Recommendations for this event.


Event XML:

Required Server Roles:Generate private key ssh from public key. Active Directory domain controller.

Minimum OS Version: Windows Server 2008.

Event Versions: 0.

Issues

Field Descriptions:

Account Information:

  • Account Name [Type = UnicodeString]: the name of account, for which (TGT) ticket was requested. Computer account name ends with $ character.

    • User account example: dadmin

    • Computer account example: WIN81$

  • Supplied Realm Name [Type = UnicodeString]: the name of the Kerberos Realm that Account Name belongs to. This can appear in a variety of formats, including the following:

    • Domain NETBIOS name example: CONTOSO

    • Lowercase full domain name: contoso.local

    • Uppercase full domain name: CONTOSO.LOCAL

Note A Kerberos Realm is a set of managed nodes that share the same Kerberos database. The Kerberos database resides on the Kerberos master computer system, which should be kept in a physically secure room. Active Directory domain is the example of Kerberos Realm in the Microsoft Windows Active Directory world.

  • User ID [Type = SID]: SID of account for which (TGT) ticket was requested. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event.

    For example: CONTOSOdadmin or CONTOSOWIN81$.

    • NULL SID – this value shows in 4768 Failure events.

Note A security identifier (SID) is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see Security identifiers.

Service Information:

  • Service Name [Type = UnicodeString]: the name of the service in the Kerberos Realm to which TGT request was sent. Typically has value “krbtgt” for TGT requests, which means Ticket Granting Ticket issuing service.

    • For Failure events Service Name typically has the following format: krbtgt/REALM_NAME. For example: krbtgt/CONTOSO.
  • Service ID [Type = SID]: SID of the service account in the Kerberos Realm to which TGT request was sent. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event.

    Domain controllers have a specific service account (krbtgt) that is used by the Key Distribution Center (KDC) service to issue Kerberos tickets. It has a built-in, pre-defined SID: S-1-5-21-DOMAIN_IDENTIFIER-502.

    • NULL SID – this value shows in 4768 Failure events.

Network Information:

  • Client Address [Type = UnicodeString]: IP address of the computer from which the TGT request was received. Formats vary, and include the following:

    • IPv6 or IPv4 address.

    • ::ffff:IPv4_address.

    • ::1 - localhost.

  • Client Port [Type = UnicodeString]: source port number of client network connection (TGT request connection).

    • 0 for local (localhost) requests.

Additional information:

  • Ticket Options [Type = HexInt32]: this is a set of different ticket flags in hexadecimal format.

    Example:

    • Ticket Options: 0x40810010

    • Binary view: 01000000100000010000000000010000

    • Using MSB 0 bit numbering we have bit 1, 8, 15 and 27 set = Forwardable, Renewable, Canonicalize, Renewable-ok.

Note In the table below “MSB 0” bit numbering is used, because RFC documents use this style. In “MSB 0” style bit numbering begins from left.

The most common values:

  • 0x40810010 - Forwardable, Renewable, Canonicalize, Renewable-ok

  • 0x40810000 - Forwardable, Renewable, Canonicalize

  • 0x60810010 - Forwardable, Forwarded, Renewable, Canonicalize, Renewable-ok

BitFlag NameDescription
0Reserved-
1Forwardable(TGT only). Tells the ticket-granting service that it can issue a new TGT—based on the presented TGT—with a different network address based on the presented TGT.
2ForwardedIndicates either that a TGT has been forwarded or that a ticket was issued from a forwarded TGT.
3Proxiable(TGT only). Tells the ticket-granting service that it can issue tickets with a network address that differs from the one in the TGT.
4ProxyIndicates that the network address in the ticket is different from the one in the TGT used to obtain the ticket.
5Allow-postdatePostdated tickets SHOULD NOT be supported in KILE (Microsoft Kerberos Protocol Extension).
6PostdatedPostdated tickets SHOULD NOT be supported in KILE (Microsoft Kerberos Protocol Extension).
7InvalidThis flag indicates that a ticket is invalid, and it must be validated by the KDC before use. Application servers must reject tickets which have this flag set.
8RenewableUsed in combination with the End Time and Renew Till fields to cause tickets with long life spans to be renewed at the KDC periodically.
9InitialIndicates that a ticket was issued using the authentication service (AS) exchange and not issued based on a TGT.
10Pre-authentIndicates that the client was authenticated by the KDC before a ticket was issued. This flag usually indicates the presence of an authenticator in the ticket. It can also flag the presence of credentials taken from a smart card logon.
11Opt-hardware-authThis flag was originally intended to indicate that hardware-supported authentication was used during pre-authentication. This flag is no longer recommended in the Kerberos V5 protocol. KDCs MUST NOT issue a ticket with this flag set. KDCs SHOULD NOT preserve this flag if it is set by another KDC.
12Transited-policy-checkedKILE MUST NOT check for transited domains on servers or a KDC. Application servers MUST ignore the TRANSITED-POLICY-CHECKED flag.
13Ok-as-delegateThe KDC MUST set the OK-AS-DELEGATE flag if the service account is trusted for delegation.
14Request-anonymousKILE not use this flag.
15Name-canonicalizeIn order to request referrals the Kerberos client MUST explicitly request the 'canonicalize' KDC option for the AS-REQ or TGS-REQ.
16-25Unused-
26Disable-transited-checkBy default the KDC will check the transited field of a TGT against the policy of the local realm before it will issue derivative tickets based on the TGT. If this flag is set in the request, checking of the transited field is disabled. Tickets issued without the performance of this check will be noted by the reset (0) value of the TRANSITED-POLICY-CHECKED flag, indicating to the application server that the transited field must be checked locally. KDCs are encouraged but not required to honor
the DISABLE-TRANSITED-CHECK option.
Should not be in use, because Transited-policy-checked flag is not supported by KILE.
27Renewable-okThe RENEWABLE-OK option indicates that a renewable ticket will be acceptable if a ticket with the requested life cannot otherwise be provided, in which case a renewable ticket may be issued with a renew-till equal to the requested end time. The value of the renew-till field may still be limited by local limits, or limits selected by the individual principal or server.
28Enc-tkt-in-skeyNo information.
29Unused-
30RenewThe RENEW option indicates that the present request is for a renewal. The ticket provided is encrypted in the secret key for the server on which it is valid. This option will only be honored if the ticket to be renewed has its RENEWABLE flag set and if the time in it’s renew-till field has not passed. The ticket to be renewed is passed in the padata field as part of the authentication header.
31ValidateThis option is used only by the ticket-granting service. The VALIDATE option indicates that the request is to validate a postdated ticket. Should not be in use, because postdated tickets are not supported by KILE.

__ Generates And Issues Session Keys In Kerberos History

Table 2. Kerberos ticket flags.

NoteKILE(Microsoft Kerberos Protocol Extension) – Kerberos protocol extensions used in Microsoft operating systems. These extensions provide additional capability for authorization information including group memberships, interactive logon information, and integrity levels.

  • Result Code [Type = HexInt32]: hexadecimal result code of TGT issue operation. The “Table 3. TGT/TGS issue error codes.” contains the list of the most common error codes for this event.
CodeCode NameDescriptionPossible causes
0x0KDC_ERR_NONENo errorNo errors were found.
0x1KDC_ERR_NAME_EXPClient's entry in KDC database has expiredNo information.
0x2KDC_ERR_SERVICE_EXPServer's entry in KDC database has expiredNo information.
0x3KDC_ERR_BAD_PVNORequested Kerberos version number not supportedNo information.
0x4KDC_ERR_C_OLD_MAST_KVNOClient's key encrypted in old master keyNo information.
0x5KDC_ERR_S_OLD_MAST_KVNOServer's key encrypted in old master keyNo information.
0x6KDC_ERR_C_PRINCIPAL_UNKNOWNClient not found in Kerberos databaseThe username doesn’t exist.
0x7KDC_ERR_S_PRINCIPAL_UNKNOWNServer not found in Kerberos databaseThis error can occur if the domain controller cannot find the server’s name in Active Directory. This error is similar to KDC_ERR_C_PRINCIPAL_UNKNOWN except that it occurs when the server name cannot be found.
0x8KDC_ERR_PRINCIPAL_NOT_UNIQUEMultiple principal entries in KDC databaseThis error occurs if duplicate principal names exist. Unique principal names are crucial for ensuring mutual authentication. Thus, duplicate principal names are strictly forbidden, even across multiple realms. Without unique principal names, the client has no way of ensuring that the server it is communicating with is the correct one.
0x9KDC_ERR_NULL_KEYThe client or server has a null key (master key)No master key was found for client or server. Usually it means that administrator should reset the password on the account.
0xAKDC_ERR_CANNOT_POSTDATETicket (TGT) not eligible for postdatingThis error can occur if a client requests postdating of a Kerberos ticket. Postdating is the act of requesting that a ticket’s start time be set into the future.
It also can occur if there is a time difference between the client and the KDC.
0xBKDC_ERR_NEVER_VALIDRequested start time is later than end timeThere is a time difference between the KDC and the client.
0xCKDC_ERR_POLICYRequested start time is later than end timeThis error is usually the result of logon restrictions in place on a user’s account. For example workstation restriction, smart card authentication requirement or logon time restriction.
0xDKDC_ERR_BADOPTIONKDC cannot accommodate requested optionImpending expiration of a TGT.
The SPN to which the client is attempting to delegate credentials is not in its Allowed-to-delegate-to list
0xEKDC_ERR_ETYPE_NOTSUPPKDC has no support for encryption typeIn general, this error occurs when the KDC or a client receives a packet that it cannot decrypt.
0xFKDC_ERR_SUMTYPE_NOSUPPKDC has no support for checksum typeThe KDC, server, or client receives a packet for which it does not have a key of the appropriate encryption type. The result is that the computer is unable to decrypt the ticket.
0x10KDC_ERR_PADATA_TYPE_NOSUPPKDC has no support for PADATA type (pre-authentication data)Smart card logon is being attempted and the proper certificate cannot be located. This can happen because the wrong certification authority (CA) is being queried or the proper CA cannot be contacted.
It can also happen when a domain controller doesn’t have a certificate installed for smart cards (Domain Controller or Domain Controller Authentication templates).
This error code cannot occur in event “4768. A Kerberos authentication ticket (TGT) was requested”. It occurs in “4771. Kerberos pre-authentication failed” event.
0x11KDC_ERR_TRTYPE_NO_SUPPKDC has no support for transited typeNo information.
0x12KDC_ERR_CLIENT_REVOKEDClient’s credentials have been revokedThis might be because of an explicit disabling or because of other restrictions in place on the account. For example: account disabled, expired, or locked out.
0x13KDC_ERR_SERVICE_REVOKEDCredentials for server have been revokedNo information.
0x14KDC_ERR_TGT_REVOKEDTGT has been revokedSince the remote KDC may change its PKCROSS key while there are PKCROSS tickets still active, it SHOULD cache the old PKCROSS keys until the last issued PKCROSS ticket expires. Otherwise, the remote KDC will respond to a client with a KRB-ERROR message of type KDC_ERR_TGT_REVOKED. See RFC1510 for more details.
0x15KDC_ERR_CLIENT_NOTYETClient not yet valid—try again laterNo information.
0x16KDC_ERR_SERVICE_NOTYETServer not yet valid—try again laterNo information.
0x17KDC_ERR_KEY_EXPIREDPassword has expired—change password to resetThe user’s password has expired.
This error code cannot occur in event “4768. A Kerberos authentication ticket (TGT) was requested”. It occurs in “4771. Kerberos pre-authentication failed” event.
0x18KDC_ERR_PREAUTH_FAILEDPre-authentication information was invalidThe wrong password was provided.
This error code cannot occur in event “4768. A Kerberos authentication ticket (TGT) was requested”. It occurs in “4771. Kerberos pre-authentication failed” event.
0x19KDC_ERR_PREAUTH_REQUIREDAdditional pre-authentication requiredThis error often occurs in UNIX interoperability scenarios. MIT-Kerberos clients do not request pre-authentication when they send a KRB_AS_REQ message. If pre-authentication is required (the default), Windows systems will send this error. Most MIT-Kerberos clients will respond to this error by giving the pre-authentication, in which case the error can be ignored, but some clients might not respond in this way.
0x1AKDC_ERR_SERVER_NOMATCHKDC does not know about the requested serverNo information.
0x1DKDC_ERR_SVC_UNAVAILABLEKDC is unavailableNo information.
0x1FKRB_AP_ERR_BAD_INTEGRITYIntegrity check on decrypted field failedThe authenticator was encrypted with something other than the session key. The result is that the client cannot decrypt the resulting message. The modification of the message could be the result of an attack or it could be because of network noise.
0x20KRB_AP_ERR_TKT_EXPIREDThe ticket has expiredThe smaller the value for the “Maximum lifetime for user ticket” Kerberos policy setting, the more likely it is that this error will occur. Because ticket renewal is automatic, you should not have to do anything if you get this message.
0x21KRB_AP_ERR_TKT_NYVThe ticket is not yet validThe ticket presented to the server is not yet valid (in relationship to the server time). The most probable cause is that the clocks on the KDC and the client are not synchronized.
If cross-realm Kerberos authentication is being attempted, then you should verify time synchronization between the KDC in the target realm and the KDC in the client realm, as well.
0x22KRB_AP_ERR_REPEATThe request is a replayThis error indicates that a specific authenticator showed up twice — the KDC has detected that this session ticket duplicates one that it has already received.
0x23KRB_AP_ERR_NOT_USThe ticket is not for usThe server has received a ticket that was meant for a different realm.
0x24KRB_AP_ERR_BADMATCHThe ticket and authenticator do not matchThe KRB_TGS_REQ is being sent to the wrong KDC.
There is an account mismatch during protocol transition.
0x25KRB_AP_ERR_SKEWThe clock skew is too greatThis error is logged if a client computer sends a timestamp whose value differs from that of the server’s timestamp by more than the number of minutes found in the “Maximum tolerance for computer clock synchronization” setting in Kerberos policy.
0x26KRB_AP_ERR_BADADDRNetwork address in network layer header doesn't match address inside ticketSession tickets MAY include the addresses from which they are valid. This error can occur if the address of the computer sending the ticket is different from the valid address in the ticket. A possible cause of this could be an Internet Protocol (IP) address change. Another possible cause is when a ticket is passed through a proxy server or NAT. The client is unaware of the address scheme used by the proxy server, so unless the program caused the client to request a proxy server ticket with the proxy server's source address, the ticket could be invalid.
0x27KRB_AP_ERR_BADVERSIONProtocol version numbers don't match (PVNO)When an application receives a KRB_SAFE message, it verifies it. If any error occurs, an error code is reported for use by the application.
The message is first checked by verifying that the protocol version and type fields match the current version and KRB_SAFE, respectively. A mismatch generates a KRB_AP_ERR_BADVERSION.
See RFC4120 for more details.
0x28KRB_AP_ERR_MSG_TYPEMessage type is unsupportedThis message is generated when target server finds that message format is wrong. This applies to KRB_AP_REQ, KRB_SAFE, KRB_PRIV and KRB_CRED messages.
This error also generated if use of UDP protocol is being attempted with User-to-User authentication.
0x29KRB_AP_ERR_MODIFIEDMessage stream modified and checksum didn't matchThe authentication data was encrypted with the wrong key for the intended server.
The authentication data was modified in transit by a hardware or software error, or by an attacker.
The client sent the authentication data to the wrong server because incorrect DNS data caused the client to send the request to the wrong server.
The client sent the authentication data to the wrong server because DNS data was out-of-date on the client.
0x2AKRB_AP_ERR_BADORDERMessage out of order (possible tampering)This event generates for KRB_SAFE and KRB_PRIV messages if an incorrect sequence number is included, or if a sequence number is expected but not present. See RFC4120 for more details.
0x2CKRB_AP_ERR_BADKEYVERSpecified version of key is not availableThis error might be generated on server side during receipt of invalid KRB_AP_REQ message. If the key version indicated by the Ticket in the KRB_AP_REQ is not one the server can use (e.g., it indicates an old key, and the server no longer possesses a copy of the old key), the KRB_AP_ERR_BADKEYVER error is returned.
0x2DKRB_AP_ERR_NOKEYService key not availableThis error might be generated on server side during receipt of invalid KRB_AP_REQ message. Because it is possible for the server to be registered in multiple realms, with different keys in each, the realm field in the unencrypted portion of the ticket in the KRB_AP_REQ is used to specify which secret key the server should use to decrypt that ticket. The KRB_AP_ERR_NOKEY error code is returned if the server doesn't have the proper key to decipher the ticket.
0x2EKRB_AP_ERR_MUT_FAILMutual authentication failedNo information.
0x2FKRB_AP_ERR_BADDIRECTIONIncorrect message directionNo information.
0x30KRB_AP_ERR_METHODAlternative authentication method requiredAccording RFC4120 this error message is obsolete.
0x31KRB_AP_ERR_BADSEQIncorrect sequence number in messageNo information.
0x32KRB_AP_ERR_INAPP_CKSUMInappropriate type of checksum in message (checksum may be unsupported)When KDC receives KRB_TGS_REQ message it decrypts it, and after that, the user-supplied checksum in the Authenticator MUST be verified against the contents of the request. The message MUST be rejected either if the checksums do not match (with an error code of KRB_AP_ERR_MODIFIED) or if the checksum is not collision-proof (with an error code of KRB_AP_ERR_INAPP_CKSUM).
0x33KRB_AP_PATH_NOT_ACCEPTEDDesired path is unreachableNo information.
0x34KRB_ERR_RESPONSE_TOO_BIGToo much dataThe size of a ticket is too large to be transmitted reliably via UDP. In a Windows environment, this message is purely informational. A computer running a Windows operating system will automatically try TCP if UDP fails.
0x3CKRB_ERR_GENERICGeneric errorGroup membership has overloaded the PAC.
Multiple recent password changes have not propagated.
Crypto subsystem error caused by running out of memory.
SPN too long.
SPN has too many parts.
0x3DKRB_ERR_FIELD_TOOLONGField is too long for this implementationEach request (KRB_KDC_REQ) and response (KRB_KDC_REP or KRB_ERROR) sent over the TCP stream is preceded by the length of the request as 4 octets in network byte order. The high bit of the length is reserved for future expansion and MUST currently be set to zero. If a KDC that does not understand how to interpret a set high bit of the length encoding receives a request with the high order bit of the length set, it MUST return a KRB-ERROR message with the error KRB_ERR_FIELD_TOOLONG and MUST close the TCP stream.
0x3EKDC_ERR_CLIENT_NOT_TRUSTEDThe client trust failed or is not implementedThis typically happens when user’s smart-card certificate is revoked or the root Certification Authority that issued the smart card certificate (in a chain) is not trusted by the domain controller.
0x3FKDC_ERR_KDC_NOT_TRUSTEDThe KDC server trust failed or could not be verifiedThe trustedCertifiers field contains a list of certification authorities trusted by the client, in the case that the client does not possess the KDC's public key certificate. If the KDC has no certificate signed by any of the trustedCertifiers, then it returns an error of type KDC_ERR_KDC_NOT_TRUSTED. See RFC1510 for more details.
0x40KDC_ERR_INVALID_SIGThe signature is invalidThis error is related to PKINIT. If a PKI trust relationship exists, the KDC then verifies the client's signature on AuthPack (TGT request signature). If that fails, the KDC returns an error message of type KDC_ERR_INVALID_SIG.
0x41KDC_ERR_KEY_TOO_WEAKA higher encryption level is neededIf the clientPublicValue field is filled in, indicating that the client wishes to use Diffie-Hellman key agreement, then the KDC checks to see that the parameters satisfy its policy. If they do not (e.g., the prime size is insufficient for the expected encryption type), then the KDC sends back an error message of type KDC_ERR_KEY_TOO_WEAK.
0x42KRB_AP_ERR_USER_TO_USER_REQUIREDUser-to-user authorization is requiredIn the case that the client application doesn't know that a service requires user-to-user authentication, and requests and receives a conventional KRB_AP_REP, the client will send the KRB_AP_REP request, and the server will respond with a KRB_ERROR token as described in RFC1964, with a msg-type of KRB_AP_ERR_USER_TO_USER_REQUIRED.
0x43KRB_AP_ERR_NO_TGTNo TGT was presented or availableIn user-to-user authentication if the service does not possess a ticket granting ticket, it should return the error KRB_AP_ERR_NO_TGT.
0x44KDC_ERR_WRONG_REALMIncorrect domain or principalAlthough this error rarely occurs, it occurs when a client presents a cross-realm TGT to a realm other than the one specified in the TGT. Typically, this results from incorrectly configured DNS.

Table 3. TGT/TGS issue error codes.

  • Ticket Encryption Type [Type = HexInt32]: the cryptographic suite that was used for issued TGT.
## Table 4. Kerberos encryption types
TypeType NameDescription
0x1DES-CBC-CRCDisabled by default starting from Windows 7 and Windows Server 2008 R2.
0x3DES-CBC-MD5Disabled by default starting from Windows 7 and Windows Server 2008 R2.
0x11AES128-CTS-HMAC-SHA1-96Supported starting from Windows Server 2008 and Windows Vista.
0x12AES256-CTS-HMAC-SHA1-96Supported starting from Windows Server 2008 and Windows Vista.
0x17RC4-HMACDefault suite for operating systems before Windows Server 2008 and Windows Vista.
0x18RC4-HMAC-EXPDefault suite for operating systems before Windows Server 2008 and Windows Vista.
0xFFFFFFFF or 0xffffffff-This type shows in Audit Failure events.
  • Pre-Authentication Type [Type = UnicodeString]: the code number of pre-Authentication type which was used in TGT request.
## Table 5. Kerberos Pre-Authentication types.
TypeType NameDescription
0-Logon without Pre-Authentication.
2PA-ENC-TIMESTAMPThis is a normal type for standard password authentication.
11PA-ETYPE-INFOThe ETYPE-INFO pre-authentication type is sent by the KDC in a KRB-ERROR indicating a requirement for additional pre-authentication. It is usually used to notify a client of which key to use for the encryption of an encrypted timestamp for the purposes of sending a PA-ENC-TIMESTAMP pre-authentication value.
Never saw this Pre-Authentication Type in Microsoft Active Directory environment.
15PA-PK-AS-REP_OLDUsed for Smart Card logon authentication.
17PA-PK-AS-REPThis type should also be used for Smart Card authentication, but in certain Active Directory environments, it is never seen.
19PA-ETYPE-INFO2The ETYPE-INFO2 pre-authentication type is sent by the KDC in a KRB-ERROR indicating a requirement for additional pre-authentication. It is usually used to notify a client of which key to use for the encryption of an encrypted timestamp for the purposes of sending a PA-ENC-TIMESTAMP pre-authentication value.
Never saw this Pre-Authentication Type in Microsoft Active Directory environment.
20PA-SVR-REFERRAL-INFOUsed in KDC Referrals tickets.
138PA-ENCRYPTED-CHALLENGELogon using Kerberos Armoring (FAST). Supported starting from Windows Server 2012 domain controllers and Windows 8 clients.
-This type shows in Audit Failure events.

Certificate Information:

__ Generates And Issues Session Keys In Kerberos 2017

  • Certificate Issuer Name [Type = UnicodeString]: the name of the Certification Authority that issued the smart card certificate. Populated in Issued by field in certificate.

  • Certificate Serial Number [Type = UnicodeString]: smart card certificate’s serial number. Can be found in Serial number field in the certificate.

  • Certificate Thumbprint [Type = UnicodeString]: smart card certificate’s thumbprint. Can be found in Thumbprint field in the certificate.

Security Monitoring Recommendations

For 4768(S, F): A Kerberos authentication ticket (TGT) was requested.

Type of monitoring requiredRecommendation
High-value accounts: You might have high-value domain or local accounts for which you need to monitor each action.
Examples of high-value accounts are database administrators, built-in local administrator account, domain administrators, service accounts, domain controller accounts and so on.
Monitor this event with the “User ID” that corresponds to the high-value account or accounts.
Anomalies or malicious actions: You might have specific requirements for detecting anomalies or monitoring potential malicious actions. For example, you might need to monitor for use of an account outside of working hours.When you monitor for anomalies or malicious actions, use the “User ID” (with other information) to monitor how or when a particular account is being used.
Non-active accounts: You might have non-active, disabled, or guest accounts, or other accounts that should never be used.Monitor this event with the “User ID” that corresponds to the accounts that should never be used.
Account whitelist: You might have a specific whitelist of accounts that are the only ones allowed to perform actions corresponding to particular events.If this event corresponds to a “whitelist-only” action, review the “User ID” for accounts that are outside the whitelist.
External accounts: You might be monitoring accounts from another domain, or “external” accounts that are not allowed to perform certain actions (represented by certain specific events).Monitor this event for the “Supplied Realm Name” corresponding to another domain or “external” location.
Account naming conventions: Your organization might have specific naming conventions for account names.Monitor “User ID” for names that don’t comply with naming conventions.
  • You can track all 4768 events where the Client Address is not from your internal IP range or not from private IP ranges.

  • If you know that Account Name should be used only from known list of IP addresses, track all Client Address values for this Account Name in 4768 events. If Client Address is not from the whitelist, generate the alert.

  • All Client Address = ::1 means local authentication. If you know the list of accounts which should log on to the domain controllers, then you need to monitor for all possible violations, where Client Address = ::1 and Account Name is not allowed to log on to any domain controller.

  • All 4768 events with Client Port field value > 0 and < 1024 should be examined, because a well-known port was used for outbound connection.

  • Also consider monitoring the fields shown in the following table, to discover the issues listed:

__ Generates And Issues Session Keys In Kerberos 2018

FieldIssue to discover
Certificate Issuer NameCertification authority name is not from your PKI infrastructure.
Certificate Issuer NameCertification authority name is not authorized to issue smart card authentication certificates.
Pre-Authentication TypeValue is 0, which means that pre-authentication was not used. All accounts should use Pre-Authentication, except accounts configured with “Do not require Kerberos preauthentication,” which is a security risk. For more information, see Table 5. Kerberos Pre-Authentication types.
Pre-Authentication TypeValue is not 15 when account must use a smart card for authentication. For more information, see Table 5. Kerberos Pre-Authentication types.
Pre-Authentication TypeValue is not 2 when only standard password authentication is in use in the organization. For more information, see Table 5. Kerberos Pre-Authentication types.
Pre-Authentication TypeValue is not 138 when Kerberos Armoring is enabled for all Kerberos communications in the organization. For more information, see Table 5. Kerberos Pre-Authentication types.
Ticket Encryption TypeValue is 0x1 or 0x3, which means the DES algorithm was used. DES should not be in use, because of low security and known vulnerabilities. It is disabled by default starting from Windows 7 and Windows Server 2008 R2. For more information, see Table 4. Kerberos encryption types.
Ticket Encryption TypeStarting with Windows Vista and Windows Server 2008, monitor for values other than 0x11 and 0x12. These are the expected values, starting with these operating systems, and represent AES-family algorithms. For more information, see Table 4. Kerberos encryption types.
Result Code0x6 (The username doesn't exist), if you see, for example N events in last N minutes. This can be an indicator of account enumeration attack, especially for highly critical accounts.
Result Code0x7 (Server not found in Kerberos database). This error can occur if the domain controller cannot find the server's name in Active Directory.
Result Code0x8 (Multiple principal entries in KDC database). This will help you to find duplicate SPNs faster.
Result Code0x9 (The client or server has a null key (master key)). This error can help you to identify problems with Kerberos authentication faster.
Result Code0xA (Ticket (TGT) not eligible for postdating). Microsoft systems should not request postdated tickets. These events could help identify anomaly activity.
Result Code0xC (Requested start time is later than end time), if you see, for example N events in last N minutes. This can be an indicator of an account compromise attempt, especially for highly critical accounts.
Result Code0xE (KDC has no support for encryption type). In general, this error occurs when the KDC or a client receives a packet that it cannot decrypt. Monitor for these events because this should not happen in a standard Active Directory environment.
Result Code0xF (KDC has no support for checksum type). Monitor for these events because this should not happen in a standard Active Directory environment.
Result Code0x12 (Client's credentials have been revoked), if you see, for example N events in last N minutes. This can be an indicator of anomaly activity or brute-force attack, especially for highly critical accounts.
Result Code0x1F (Integrity check on decrypted field failed). The authenticator was encrypted with something other than the session key. The result is that the KDC cannot decrypt the TGT. The modification of the message could be the result of an attack or it could be because of network noise.
Result Code0x22 (The request is a replay). This error indicates that a specific authenticator showed up twice—the KDC has detected that this session ticket duplicates one that it has already received. It could be a sign of attack attempt.
Result Code0x29 (Message stream modified and checksum didn't match). The authentication data was encrypted with the wrong key for the intended server. The authentication data was modified in transit by a hardware or software error, or by an attacker. Monitor for these events because this should not happen in a standard Active Directory environment.
Result Code0x3C (Generic error). This error can help you more quickly identify problems with Kerberos authentication.
Result Code0x3E (The client trust failed or is not implemented). This error helps you identify logon attempts with revoked certificates and the situations when the root Certification Authority that issued the smart card certificate (through a chain) is not trusted by a domain controller.
Result Code0x3F, 0x40, 0x41 errors. These errors can help you more quickly identify smart-card related problems with Kerberos authentication.