query Kerberos encryption modes supported by AD through LDAP

Question

In short: I need a way to retrieve the encryption modes permitted in the network security policy of a Microsoft DC.

The encryption mode is essential to creating the right set of keys for service principals in the local keytab of a host.

User accounts have the attribute msDS-SupportedEncryptionTypes that gives the modes as a bitset. This can be configured by a Windows admin through some input form. “Computer accounts” however lack this attribute unless one manually sets the attribute in LDAP. And there is no similar input form.

Now, according to the official docs that setting is inherited for each “Computer account” from the local policy. I guess what I need is to look up this policy through LDAP. But how?

Answer 1

according to this other msdn blog all computer accounts have this attribute, but legacy systems (pre Vista/2008) do not populate it. A quick glance at computer objects in an AD shows me those attributes, and it is really quite simple to do it in powershell with the active-directory module (so start powershell and load the module with 'import-module activedirectory):

get-adcomputer -properties msDS-SupportedEncryptionTypes -filter *

That's it, you get a list of objects with attribute. In my case I got "28" ( which apparently corresponds to "RC4","AES128","AES256" )

Answer 2

I have a few items that might help somewhat.

while working on a cipher project i noted that a number of items kept coming back as older types then the current more secure version lets say AES256, i had collected the hits via network scans. this could be seen by testing a SPN that was bound to a AD object such as user or computer object. but ultimatly all roads take you back to the AD item.

testing a hit for example CIFS/TEST a demo spn added to a test computer object using the powershell code

klist purge Add-type -AssemblyName System.IdentityModel $SessionKey = New-Object System.IdentityModel.Tokens.KerberosRequestorSecurityToken -ArgumentList CIFS/test -ErrorAction SilentlyContinue klist

Client: administrator @ DOMAIN1.INT Server: CIFS/test @ DOMAIN1.INT KerbTicket Encryption Type: RSADSI RC4-HMAC(NT) Ticket Flags 0x40a10000 -> forwardable renewable pre_authent name_canonicalize Start Time: 3/17/2022 23:52:52 (local) End Time: 3/18/2022 9:52:52 (local) Renew Time: 3/24/2022 23:52:52 (local) Session Key Type: RSADSI RC4-HMAC(NT)

looking in the test AD for the test computer object and then adding Advanced views to DSA.MSC thier is a direct link to the value set msDS-SupportedEncryptionTypes as both the above replies added. 100% bang on. now its possable to for the use of stronger levels of Ciphers via this atribute in AD of the object.

see https://techcommunity.microsoft.com/t5/core-infrastructure-and-security/decrypting-the-selection-of-supported-kerberos-encryption-types/ba-p/1628797

i have done some testing and to be fair the strongist value is always chosen when you select a value thats got say RC4 and AES, even when you use AES 128 and 256 the servers will use the strongist possable.

eg when i set the value on the AD Computer Object "not a user account" to 23 - DES_CBC_CRC, DES_CBC_MD5, RC4, AES 256

#1> Client: administrator @ DOMAIN1.INT Server: CIFS/test @ DOMAIN1.INT KerbTicket Encryption Type: AES-256-CTS-HMAC-SHA1-96 Ticket Flags 0x40a10000 -> forwardable renewable pre_authent name_canonicalize Start Time: 3/18/2022 0:00:33 (local) End Time: 3/18/2022 10:00:33 (local) Renew Time: 3/25/2022 0:00:33 (local) Session Key Type: AES-256-CTS-HMAC-SHA1-96

note this was only limited test so dont run off and start cranking it into the real world :) just wanted to share a few things with you all.