Hi All!
We currently run Microsoft Advanced Threat Analytics, and we quite often get the following error for Windows client PCs and ADFS servers:
The encryption method of the ETYPE_INFO field of KRB_ERR message from x computers has been downgraded based on previously learned behavior.
I have been over this documentation here: https://docs.microsoft.com/en-us/advanced-threat-analytics/suspicious-activity-guide and
used their Aorato Skeleton Key Malware Remote DC Scanner tool, but found nothing.
I opened a ticket with Microsoft about this, and they believe it is due to the fact that these accounts haven't changed their passwords in a long time (a lot of them are old
accounts for various strange purposes and VIPs that whinge about having to change their password - but lets not get into that, we are soon going to force them into line)
I am only slightly knowledgeable about Kerberos, I want to know the whys/whats/hows about it. Forgive me if I am wrong, I understand that your password is used to hash certain
information and that is sent to the KDC, the KDC uses the hash of the password at its end to decyrpt the message, and if it can, then your password is correct. So your password is never sent over the wire.
I'm assuming, that because these accounts have their passwords hashed with some older cipher, than the KDC tells the client to user an older cipher to encrypt the message, and
this is why I am getting the error? Is that correct? and why Microsoft is asking me to change their passwords.
I have a few questions (assuming my assumptions are correct)
- I asked a user to change their password (via going ctrl+alt+del on their Windows 7 PC and clicking Change a password), however ATA was still picking up encryption downgrades for this user on both their Windows 7 PC and ADFS. Would the fact that they have previously negotiated lower encryption with the KDC cause the new password to still be hashed with a weaker cipher?
- I then changed the password for the user above via Active Directory Users and Computers (dsa.msc), and now I no longer get the ATA alerts when they log onto ADFS, but i still get them when they log onto their Windows 7 PC. Is there anything I need to do for the Windows 7 PC to ensure it uses the strongest cipher for this account?
- Is there any way for me to find out, by querying AD, what users have passwords that are hashed in an older cipher?
- When did Microsoft make this cipher change? What did they change their cipher from/to, and how can I enforce the stronger cipher? (I seem to be struggling finding this information)
Thanks all, I apologise for my ignorance!
Some notes:
- I can cause ATA to log the Encryption downgrade activity, just by doing a failed logon to any computer / ADFS with the users that have really old passwords. (I assume this is because even though my password is incorrect, it is hashed using a more superior cipher, and that the KDC still needs to negotiate a lower cipher with the client)
- The computer accounts all havemsDS-SupportedEncryptionTypes set to 28 (0x1C)
- Please do not reply and ask me to submit my question to the ATA forums, I submitted this question there some time ago and got no response, this question relates mainly to
Kerberos.