websafety Try Kerberos -crypto AES256-SHA1 when generating keytab

Try to specifythe option -crypto AES256-SHA1 in the domain controller while issuing the SPN, trying to enforce a hard encryption type.

It seems that was the reason. After removing and re-generating the SPN, leaving ciphers by default this time, and re-importing the Keytab file in Squid config, Kerberos Auth started working with no issues.

Apr 26 '18 06:04 ra-at-diladele-com

Need UI to try using:

; for Windows 2008+ with AES support ( you might want to remove rc4 and des, its there for compatibility)
    default_tgs_enctypes = aes128-cts-hmac-sha1-96 aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5
    default_tkt_enctypes = aes128-cts-hmac-sha1-96 aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5
    permitted_enctypes = aes128-cts-hmac-sha1-96 aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5

Jul 24 '20 17:07 ra-at-diladele-com

Check the policy below "Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options\Network security"

Configure encryption types allowed for Kerberos By default: It will be RC4_HMAC_MD5, AES128_HMAC_SHA1, AES256_HMAC_SHA1, Future encryption types being checked. For my case, RC4_HMAC_MD5 wasn’t checked.

Nov 05 '20 09:11 ra-at-diladele-com

This seems to work. The differences from the docs are in the account settings (see attached screenshot) and the generation command (see below). Even when libdefaults shows the default kerberos settings do not include aes 256 - it all works.

We might need to generate libdefault with aes, but what value should be there?

[libdefaults]
default_realm = DILADELE.LAN
default_tgs_enctypes = rc4-hmac des3-hmac-sha1
default_tkt_enctypes = rc4-hmac des3-hmac-sha1

The command to map the user should look like:

ktpass -princ HTTP/[email protected] -mapuser [email protected] -crypto AES256-SHA1 -pass Passw0rd -ptype KRB5_NT_PRINCIPAL -out krb5.keytab

Output would be:

Targeting domain controller: dc1.diladele.lan
Using legacy password setting method
Successfully mapped HTTP/proxy.diladele.lan to squid.
Key created.
Output keytab to krb5.keytab:
Keytab version: 0x502
keysize 87 HTTP/[email protected] ptype 1 (KRB5_NT_PRINCIPAL) vno 3 etype 0x12 (AES256-SHA1) keylength 32 (0xa276729d03d19a94bd82ad7c37514436cdeddbe1be0d41d6d3e2780c69b8d5fc)

After Save and Restart from Admin UI it should work normally. To verify that, run the klist command on the client machine. It will show aes crypto:

#1> Client: rafael.akchurin @ DILADELE.LAN
        Server: HTTP/proxy.diladele.lan @ DILADELE.LAN
        KerbTicket Encryption Type: AES-256-CTS-HMAC-SHA1-96
        Ticket Flags 0x40a10000 -> forwardable renewable pre_authent name_canonicalize
        Start Time: 8/10/2022 7:55:05 (local)
        End Time:   8/10/2022 17:37:37 (local)
        Renew Time: 8/17/2022 7:37:37 (local)
        Session Key Type: AES-256-CTS-HMAC-SHA1-96
        Cache Flags: 0
        Kdc Called: dc1.diladele.lan

Aug 10 '22 06:08 ra-at-diladele-com

Need to update the docs.

Aug 10 '22 06:08 ra-at-diladele-com

The file in /opt/websafety-ui/var/console/squid/templates/squid/confkrb5.conf should look like:

[libdefaults]
default_realm = {{realm}}
default_tgs_enctypes = rc4-hmac des3-hmac-sha1 aes256-cts
default_tkt_enctypes = rc4-hmac des3-hmac-sha1 aes256-cts

Aug 10 '22 13:08 ra-at-diladele-com

Docs are updated.

Sep 03 '22 08:09 ra-at-diladele-com