In this blog, we’ll discuss how Kerberos pre-authentication helps mitigate password attacks. We’ll also discuss how native tools fail to provide a list of user accounts that have disabled Kerberos pre-authentication, and how to detect and enable pre-authentication for these accounts with ease.
In a Windows environment, Kerberos authentication uses the Kerberos key distribution center (KDC) to verify the identity of clients and servers. The KDC accepts requests from Kerberos clients, checks their identity using an Active Directory (AD) service database, and grants tickets to clients upon successful verification. Sounds like a secured identity verification mechanism, right? Well, hang on.
Kerberos’ authentication process is still vulnerable to various kinds of attacks, including password attacks. Active password attacks can be thwarted by enabling Kerberos pre-authentication. The KDC enables pre-authentication on all user accounts by default, but admins often disable Kerberos pre-authentication on some user accounts for testing, automation, and so on.
Pre-authentication and how it thwarts active password attacks
Pre-authentication helps a client prove their identity by including their password hash when sending a ticket request to the KDC. Ticket requests also include details such as the client’s timestamp, an encrypted list of IP addresses, and the ticket’s lifespan. When the KDC receives the request, it decrypts the request using the password hash from AD. If the decryption succeeds, the KDC starts processing the ticket; if it fails, however, the KDC returns an error to the client.
When Kerberos pre-authentication is enabled, a client cannot send a dummy request to the KDC for a ticket, as the request has to be encrypted with a timestamp. And when a request is sent to the KDC, each request’s timestamp is checked by the KDC to ensure that it is not earlier or the same as a previous request. Additionally, the KDC compares each request’s timestamp with the server’s time. If the request’s timestamp is not within five minutes of the server’s time, then the request will be rejected. If the KDC reads a valid time, it is assured that the request is not a replay of a previous request.
If pre-authentication is disabled, an attacker could take a ticket offline, perform a brute-force attack to crack the password, and complete the authentication request without leaving a trace. With pre-authentication enabled, however, each time the attacker tries a new password, they must contact the KDC. Though an attacker can do it many times over, there will be a KDC log every time the pre-authorization fails.
How to identify accounts with Kerberos pre-authentication disabled: Native tools vs. ADManager Plus
If you perform an AD risk assessment, it would indicate that some of your user accounts have Kerberos pre-authentication disabled. However, it wouldn’t tell you which accounts these are. To list out the user accounts with disabled Kerberos pre-authentication, you need to either create complex LDAP filters or PowerShell scripts, or use another tool.
With ADManager Plus’ Custom Reports feature, however, you can easily identify unsecured user accounts in a click and enable their Kerberos pre-authentication from the report itself.
The report that will help find user accounts with Kerberos pre-authentication disabled is the User accounts without Kerberos pre-authentication report under ADManager Plus’ Custom Reports, as shown in Figure 1.
Figure 1. The User accounts without Kerberos pre-authentication report is available under ADManager Plus’ User Reports.
From the user account list, you can verify if Kerberos pre-authentication should necessarily be disabled for these users. If an account needs pre-authentication, you can enable Kerberos pre-authentication for that account from the report itself, as shown in Figure 2.
In this blog, we discussed Kerberos pre-authentication and its importance in mitigating active password attacks. We also saw how to easily detect users that have Kerberos pre-authentication disabled—and enable Kerberos pre-authentication for these accounts in a few clicks—using ADManager Plus’ Custom Reports feature.