Avoid enabling Kerberos Pre-Authentication in AD

Avoid enabling Kerberos Pre-Authentication in AD

November 11, 2021 Active Directory Uncategorized 0

Kerberos Pre-Authentication

The Key Distribution Center (KDC) is available as part of the domain controller and performs two key functions which are: Authentication Service (AS) and Ticket-Granting Service (TGS)

By default the KDC requires all accounts to use pre-authentication. This is a security feature which offers protection against password-guessing attacks.┬áThe AS request identifies the client to the KDC in plain text. If pre-authentication is enabled, a time stamp will be encrypted using the user’s password hash as an encryption key. If the KDC reads a valid time when using the user’s password hash, which is available in the Active Directory, to decrypt the time stamp, the KDC knows that request isn’t a replay of a previous request.

When Kerberos Pre-Authentication disabled

When you do not enforce pre-authentication, a malicious attacker can directly send a dummy request for authentication. The KDC will return an encrypted TGT and the attacker can brute force it offline. Upon checking the KDC logs, nothing will be seen except a single request for a TGT. When Kerberos timestamp pre-authentication is enforced, the attacker cannot directly ask the KDCs for the encrypted material to brute force offline. The attacker has to encrypt a timestamp with a password and offer it to the KDC. The attacker can repeat this over and over. However, the KDC log will record the entry every time the pre-authentication fails.


Identify users account with Kerberos Pre-Authentication disabled

Get-ADUser -Filter * -Properties * | Where-Object { $_.DoesNotRequirePreAuth -eq $True}

 16,069 total views,  19 views today

Leave a Reply

Your email address will not be published. Required fields are marked *