question

AA88 avatar image
0 Votes"
AA88 asked GaryReynolds edited

kerberos authentication error

Hi,

I can login to any server with authentication successfully. But when come to launch or run cmd or powershell with admin privileges' access. Will throw out error with access denied. Even i'm enterprise admin or domain admin doesn't seem to have access. Only need to try authentication as different user using same account it's successfully.

Below is the screenshot without authenticate, but i ready have enterprise admin seem not able to manage the remote server. 136469-1.jpg


Anyone encounter for kerberos authentication error?


windows-serverwindows-active-directory
1.jpg (29.8 KiB)
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Thameur-BOURBITA avatar image
0 Votes"
Thameur-BOURBITA answered

Hi

Hi

It seems that the Admin account you are using is members of protected user.
You can remove it from protected users to be able to use ntlm protocol for authentication.
Regarding the kerberos error, check if the SPN configuration is correct on the impacted server, if you want keep Admin account with privileged in protected users.


Please don't forget to mark helpful reply as answer

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

AA88 avatar image
0 Votes"
AA88 answered

@Thameur-BOURBITA

I've checked security group doesn't not have protected user.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Thameur-BOURBITA avatar image
0 Votes"
Thameur-BOURBITA answered AA88 commented

Did you check SPN configuration ?

Please don't forget to mark helpful reply as answer

· 2
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

@Thameur-BOURBITA

Is there a standard SPN configuration?

Since the account is more of administration rather than service accounts.

0 Votes 0 ·

Hello @Thameur-BOURBITA ,

There isn't any duplicate SPN.

0 Votes 0 ·
LimitlessTechnology-2700 avatar image
0 Votes"
LimitlessTechnology-2700 answered

Hello @AA88

I agree that besides checking if Enterprise Admin or Domain Admin is member of the local Administrators group, you may be using an account added in "Protected Users" group.

Since local Admin security is a concern nowadays I would recommend you to implement LAPS as a solution for centralized Local Administrator management of your environment without exposing your domain Admins groups.

LAPS:
https://www.microsoft.com/en-us/download/details.aspx?id=46899
LAPS Guide:
https://techcommunity.microsoft.com/t5/core-infrastructure-and-security/local-administrator-password-solution-laps-implementation-hints/ba-p/258296

Hope this helps with your query,


--If the reply is helpful, please Upvote and Accept as answer--

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

AA88 avatar image
0 Votes"
AA88 answered

Hello @LimitlessTechnology-2700

The issues is I'm getting kerbose authentication error, to any domain servers.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

GaryReynolds avatar image
0 Votes"
GaryReynolds answered GaryReynolds edited

Hi @AA88

I thought I would jump in and give a few pointers to check that Kerberos is working as expected. These test are using NetTools, however, some of the functionality is available in other MS tools, but NetTools makes it easier to jump between tests.

Go to Authentication -> Sessions - confirm that the active session is Kerberos or Negotiate in the Auth column

143659-image.png

In the Quick Search bar enter the name of the server logged onto and click search
143722-image.png

In the search view double click on the server, In the Properties dialog, select the Delegation tab and right click on one of the Service Principal Names and select Request SPN

143660-image.png


This will select the Kerberos Tickets option and display all the Kerberos tickets that have been cache, confirm that the selected SPN is in the list and also check the bottom area of screen for any error messages.

143704-image.png


Select Authentication -> User Rights and click refresh - check the administrators group to see if the Attribute are set to D, this means that you have a restricted token and UAC is enabled for privileged users.

143620-image.png



image.png (19.0 KiB)
image.png (4.9 KiB)
image.png (37.0 KiB)
image.png (15.9 KiB)
image.png (30.0 KiB)
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.