I'm playing with mimikatz kerberos::golden, e.g.,
kerberos::golden /domain:XXX /sid:XXX /user:XXX /aes256:XXX /endin:864000 /renewmax:10240 /ptt
Then I tried to access a domain joined machine, but I got access denied:
dir \\IP_address\C$
But if I switch to a DNS name, it works:
dir \\HOSTNAME\C$
Why did the direct IP address access fail here?
By default, Windows will not attempt to authenticate with Kerberos when you connect to an IP address rather than a hostname. To quote from the Microsoft article on this subject:
By default Windows will not attempt Kerberos authentication for a host if the hostname is an IP address. It will fall back to other enabled authentication protocols like NTLM. However, applications are sometimes hardcoded to use IP addresses which means the application will fall back to NTLM and not use Kerberos. This can cause compatibility issues as environments move to disable NTLM.
In order to use the IP instead of the hostname, you can use setspn to configure a Service Principal Name for Kerberos, matching the IP address, and it will cause Windows to attempt to authenticate with Kerberos to that IP address instead of falling back to NTLM.
As a side note, it's good practice to use the FQDN (i.e. hostname.domainname) when trying to authenticate to domain-joined hosts. In some configurations the bare NetBIOS name alone will not work, leading to spurious connection failures and authentication failures.
