How many secret keys does a KDC store per security principal?

DaveC 186 Reputation points
2023-02-02T13:45:33.1+00:00

In Active Directory, I'd like to understand if the KDC stores one single hash of a principal's password, to be used as an encryption key during AS or TGS requests, with encryption taking place at that moment, based upon the selected type (RC4/AES/etc)?

OR, are multiple instances/keys stored per principal, already in various encrypted forms, and the selected form is taken from the store to be used at that moment needed?

Some KDC event IDs (id=16, for example), include the statement: "Changing or resetting the password of<%x> will generate a proper key."

This statement seems to indicate a given form is created and stored by the KDC each time a password is changed? Or is that statement intended to be in reference to the Kerberos CLIENT's ability to use a pwd hash for decryption?

Thanks,

DaveC

Active Directory
Active Directory
A set of directory-based technologies included in Windows Server.
6,893 questions
Windows Server Security
Windows Server Security
Windows Server: A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.Security: The precautions taken to guard against crime, attack, sabotage, espionage, or another threat.
1,902 questions
0 comments No comments
{count} votes

Accepted answer
  1. Gary Nebbett 6,186 Reputation points
    2023-02-06T14:18:32.29+00:00

    Hello DaveC,

    As far as I know, there is no single document that contains a "direct" answer to your question.

    Section 3.3.1.1 Account Database Extensions of [MS-KILE] contains the text

    • Secret keys: KILE implementations that use Active Directory for the account database use the supplementalCredentials attribute ([MS-ADA3] section 2.287).

    [MS-ADA3] ultimately references [MS-SAMR] for a full description of supplementalCredentials.

    There are tools that can dump the contents of supplementalCredentials. One example of such a dump, using a tool created by Michael Grafnetter, can be seen here: https://www.dsinternals.com/en/retrieving-active-directory-passwords-remotely/

    Even neglecting the question of key history, there is no single number as answer to your question - it depends on other settings. If digest authentication is enabled, for example, then 29 hashes are stored just to support that.

    Gary

    0 comments No comments

7 additional answers

Sort by: Most helpful
  1. Anonymous
    2023-02-02T16:20:09.6433333+00:00

    Something here could help.

    https://learn.microsoft.com/en-us/windows-server/security/kerberos/passwords-technical-overview#how-passwords-are-used-in-windows

    --please don't forget to upvote and Accept as answer if the reply is helpful--


  2. DaveC 186 Reputation points
    2023-02-03T15:04:12.2566667+00:00

    Hi DaveP,

    It doesn't quite answer the specific question but thank you for your reply and research. Based on what I've read from section 3.1.3 of the RFC 4120 I think the answer is that it's not just a single hash which the KDC stores per principal. I suppose I'm looking for something explicitly stating as such but haven't had any luck finding it. :)

    -DaveC

    0 comments No comments

  3. Anonymous
    2023-02-03T15:25:08.6833333+00:00

    More here as well.

    https://learn.microsoft.com/en-us/windows/win32/secauthn/key-distribution

    --please don't forget to upvote and Accept as answer if the reply is helpful--


  4. Deleted

    This answer has been deleted due to a violation of our Code of Conduct. The answer was manually reported or identified through automated detection before action was taken. Please refer to our Code of Conduct for more information.


    Comments have been turned off. Learn more

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.