I've been working on cleaning up my Active Directory environments, specifically addressing the use of RC4 for Kerberos tickets by setting the msDS-SupportedEncryptionTypes for the target accounts to 18. While I haven't enabled the domain-wide blocks via Group Policy yet, that's on my agenda. However, I'm concerned about the krbtgt account itself. In several environments, although the password for this account has been rotated recently, its msDS-SupportedEncryptionTypes is still set to 0. It's puzzling because some accounts interacting with the krbtgt account are getting AES256-SHA96 tickets but are still using RC4 session keys. Should I be worried about this?
1 Answer
Yes, this is a concern. The krbtgt account's password may need to be rotated twice if you haven't done that yet. The first reset keeps an old password that allows domain machines to update their tickets and stop using RC4. The second rotation replaces that old password, making it so the updated containers aren’t encrypted with RC4 anymore.
I think I actually did rotate them twice, with a 24-hour gap between resets. Can’t remember exactly, though.