Kerberos encryption AES128 CTS HMAC and AES128 HMAC

MV 96 Reputation points
2022-12-01T19:52:55.41+00:00

Hello,

We are hardening our server 2019 and we are using cis-cat (cisecurity.org) GPO recommendations. The "Network Security: Configure Encryption types allowed for Kerberos" setting started causing problems after October 2022. We have it set for Aes128, aes256, and future encryption and originally this wasn't causing issues. Now the problem that I am experiencing is with remote desktop not able to connect, also gpupdate /force gives out an error, rsop.msc works but gives an error as well. Here is what I tried that I know fixed the problem until the machine is restarted again.

If I leave the domain, restart, delete the computer object, recreate the computer object, join the domain and restart, everything seems to work fine. Until I have to restart the system again and I am back at square one.

Now if I enable rc4 , aes128, aes256 the remote desktop doesn't brake but I believe this is defaulting to rc4 and not using aes128 or aes256. Also I don't want to turn on Rc4.

Here are some of the errors that the server experiences when we have the network security key set to AES128_HMAC, AES256_HMAC, and future encryption

This error happened after trying to add remote desktop services again after we re joined the machine to the domain.

The post installation configuration did not complete. Could not create the  
> Windows Management Instrumentation Windows Firewall exception on  
> server2.LAB.WN.EDU. Could not create the Windows Management  
> Instrumentation Windows Firewall exception on  
> server2.LAB.WN.EDU.  
> System.Management.Automation.Remoting.PSRemotingTransportException:  
> Connecting to remote server server2.LAB.WN.EDU failed with  
> the following error message : WinRM cannot process the request. The  
> following error with errorcode 0x80090342 occurred while using Kerberos  
> authentication: An unknown security error occurred.  
>  Possible causes are:  
>   -The user name or password specified are invalid.  
>   -Kerberos is used when no authentication method and no user name are  
> specified.  
>   -Kerberos accepts domain user names, but not local user names.  
>   -The Service Principal Name (SPN) for the remote computer name and port  
> does not exist.  
>   -The client and remote computers are in different domains and there is  
> no trust between the two domains.  
>  After checking for the above issues, try the following:  
>   -Check the Event Viewer for events related to authentication.  
>   -Change the authentication method; add the destination computer to the  
> WinRM TrustedHosts configuration setting or use HTTPS transport.  
>  Note that computers in the TrustedHosts list might not be authenticated.  
>    -For more information about WinRM configuration, run the following  
> command: winrm help config. For more information, see the  
> about_Remote_Troubleshooting Help topic.  
>    at  
> Microsoft.RemoteDesktopServices.Management.Cmdlets.CommonUtils.ExecutePowerShellScriptShowError(String  
> serverName, String script, Object argumentList)  
>    at  
> Microsoft.RemoteDesktopServices.Management.Cmdlets.CommonUtils.OpenFirewallPort(String  
> serverName)  

ID40790:

> The Security System has detected a downgrade attempt when contacting the  
> 3-part SPN  
  
  
 ldap/camp.id.wn.edu/id.wn.edu@ID.WN.EDU  
  
  
 with error code "The encryption type requested is not supported by the KDC.  
>  (0xc00002fd)". Authentication was denied.  

ID10154:

> The WinRM service failed to create the following SPNs: WSMAN/  
> server2.lab.wn.edu; WSMAN/server2.  
  
  
 Additional Data  
>  The error received was 5: %%5.  
  
  
 User Action  
>  The SPNs can be created by an administrator using setspn.exe utility.  

Firewall has been disabled just in case.

Windows Server
Windows Server
A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.
12,963 questions
Active Directory
Active Directory
A set of directory-based technologies included in Windows Server.
6,462 questions
Windows Server Security
Windows Server Security
Windows Server: A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.Security: The precautions taken to guard against crime, attack, sabotage, espionage, or another threat.
1,812 questions
0 comments No comments
{count} vote

3 answers

Sort by: Most helpful
  1. MV 96 Reputation points
    2022-12-14T18:16:16.283+00:00

    Anyone else having this problem or am I the only one who has had this issue?

    0 comments No comments

  2. Gregory Howard 0 Reputation points
    2023-01-18T19:53:46.37+00:00

    Did you find a solution for this


  3. Michael Sujka 0 Reputation points
    2023-09-27T16:51:45.69+00:00

    You are not the only person. Any chance anyone else has found a solution?

    External link to Reddit with a similar issue but it isn't speaking about computer accounts, only user accounts: https://www.reddit.com/r/sysadmin/comments/sjop64/anyone_else_being_hit_with_lsasrv_event_id_40970/?scrlybrkr=38ad0813

    On the computer account front, does changing the local password in AD, force an update to newer encryption types? external link

    https://ss64.com/ps/reset-computermachinepassword.html


Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.