A Service Ticket By Default Lasts For How Long?

A Reddit user raised this great question today that I am not aware of. Then I did a little research and here is the breakdown of what it is.

What is KRBTGT?

The KRBTGT is a local default business relationship that acts every bit a service account for the Key Distribution Center (KDC) service. It's created automatically when a new domain is created.

• Information technology cannot exist deleted
• its name cannot be changed
• it cannot be enabled
• information technology only belongs to the post-obit two groups
  • Domain Users
  • Denied RODC Password Replication Group

KDC service handles all Kerberos ticket requests so KRBTGT account in Advertizing plays a key role that encrypts and sign all Kerberos tickets for the domain.

You can as well apply the PowerShell lawmaking to become the business relationship's detail as well:

Go-AdUser krbtgt -belongings created, passwordlastset, enabled, sid, distinguishedname
        

How information technology works:

1. User logs on with AD user name and password to a domain-joined computer (usually a workstation).
2. The user requests authentication by sending a timestamp (Pre-auth data) encrypted with the users password-based encryption key (password hash).
3. User business relationship ([email protected]) requests a Kerberos service ticket (TGT) with PREAUTH data (Kerberos Equally-REQ).
4. The Kerberos server (KDC) receives the hallmark request, validates the information, and replies with a TGT (Kerberos AS-REP).

Why do yous need to update its password?

99.99% of the fourth dimension, the KRBTGT account's password has not inverse since the AD Domain was set. But since it's a domain account, all writable DCs know the account password in social club to decrypt Kerberos tickets for validation.

Because of that, the attackers may use the KRBTGT account to persist on the network even if every other account has its countersign inverse. During an incredibly crawly talk (Video) at the Black Lid 2014 security conference in Las Vegas, NV in early Baronial, Skip Duckwall & Benjamin Delpy spoke well-nigh a method (using Mimikatz) to generate your own Kerberos tickets (aka theAureate Ticket).

And that's why Microsoft now recommends that the KRBTGT password alter on a regular basis.

How to alter the password?

Microsoft posted a KRBTGT account password PowerShell script on TechNet that volition change the KRBTGT account password once for a domain, force replication, and monitor change status.

Note that changing the KRBTGT account countersign in a 2008 (or higher) DFL volition not cause replication issues.

There are two KRBTGT Password Alter Scenarios:

• Maintenance: Changing the KRBTGT business relationship password in one case, waiting for replication to consummate (and the woods converge), and and so irresolute the password a 2nd time, provides a solid procedure for ensuring the KRBTGT account is protected and reduces gamble (Kerberos and application issues).
• Breach Recovery: Changing the KRBTGT account countersign twice in rapid succession (before Advertising replication completes) will invalidate all existing TGTs forcing clients to re-cosign since the KDC service will exist unable to decrypt the existing TGTs. Choosing this path will likely crave rebooting application servers (or at least re-starting application services to become them talking Kerberos correctly again).

Resources:

• Kerberos & KRBTGT: Active Directory's Domain Kerberos Service Business relationship
• Agile Directory Accounts
• Reset the krbtgt business relationship password/keys

Source: https://www.kjctech.net/do-you-need-to-update-krbtgt-account-password/

Posted by: croninhearating.blogspot.com

Share this post