Kerberos in Active Directory

Protocol • Security • Attacks

Protocol internals, security configuration, and attack techniques for Kerberos in Active Directory.

Quick Start

RC4 enforcement starts April 2026. Accounts without msDS-SupportedEncryptionTypes explicitly set will stop getting RC4 tickets. July 2026 makes it permanent with no rollback. The fix is two settings: msDS-SupportedEncryptionTypes = 24 on every SPN-bearing account, and DefaultDomainSupportedEncTypes = 24 on every DC.

Not sure where your domain stands? The Quick Start Guide covers what you need to know in 5 minutes. Ready to run the migration? Go straight to the Standardization Guide.

Protocol

How Kerberos actually works in Active Directory. Wire protocol, ticket structures, key derivation, grounded in RFC 4120 and the MS-KILE spec.

Page	What it covers
Active Directory Components	DCs, KDCs, the Global Catalog, and how AD maps to Kerberos concepts
Principals & Realms	UPNs, SPNs, realm trust, and principal naming conventions
Protocol Overview	The three-party model and the full AS/TGS/AP ticket exchange sequence
AS Exchange	TGT acquisition, pre-authentication, PA-ETYPE-INFO2, and the krbtgt key
TGS Exchange	Service ticket issuance, etype selection, and the KDC's decision logic
AP Exchange	Authenticator construction, mutual authentication, and session key establishment
Ticket Structure	Wire format, PAC contents, PAC signatures, and the impact of KB5008380
Pre-Authentication	PA-DATA types, FAST armoring, and what happens when pre-auth is disabled
Encryption Types	DES, RC4, AES128, AES256: key derivation, usage, and negotiation rules
S4U Extensions	S4U2Self, S4U2Proxy, FORWARDABLE flag, and RBCD vs constrained delegation
Cross-Realm Auth	Inter-forest referrals, trust keys, and cross-realm ticket flow
Delegation	Unconstrained, constrained, and resource-based constrained delegation

Security

The RC4 deprecation deadline is April 2026 with permanent enforcement in July. This section covers how to audit your domain, what to configure, and how to migrate before it matters.

Encryption

Page	What it covers
Encryption Negotiation	How the KDC, client, and service account flags combine to select an etype
Etype Decision Guide	All 12 inputs that determine which etype appears in a ticket
Algorithms & Keys	DES / RC4 / AES key derivation, cracking speed comparison, the double-reset problem

Configuration

Page	What it covers
msDS-SupportedEncryptionTypes	Bit flags, defaults per account type, bulk queries, and bulk update scripts
Registry Settings	Every Kerberos-relevant registry value on DCs and clients with safe defaults
Registry Audit	Lab-validated registry reference with per-key observed behavior
Group Policy	GPO settings that affect Kerberos, override precedence, and gotchas

Hardening

Page	What it covers
RC4 Deprecation	CVE-2026-20833 timeline, Kdcsvc events 201-209, and pre-enforcement checklist
Auditing Kerberos Keys	Finding accounts with weak or missing AES keys before enforcement hits
Standardization Guide	AES migration playbook: two paths, every command, every verification step
Mitigations	Defenses ranked by impact, from gMSA deployment to KRBTGT rotation

Reference

Page	What it covers
Troubleshooting	Common Kerberos errors, event IDs, and diagnostic procedures
Quick Start Guide	5-minute encryption type overview with diagrams, for people who want the short version

Interactive Tools

Tool	What it does
Encryption Type Calculator	Compute the winning etype given any combination of account flags and registry settings
Event Decoder	Decode Kerberos event log entries (IDs 4768, 4769, 4770) into human-readable output

Attacks

Every major Kerberos attack with enough detail to understand why it works, not just how to run the tool.

Roasting (Offline Credential Cracking)

Attack	Target	Hashcat mode
Kerberoasting	TGS-REP enc-part (user service account key)	13100 (RC4), 19700 (AES256)
AS-REP Roasting	AS-REP enc-part (no pre-auth accounts)	18200 (RC4), 32200 (AES256)
AS-REQ Roasting	PA-ENC-TIMESTAMP (passive capture)	7500 (RC4), 19900 (AES256)

Credential Theft

Attack	What it abuses
Pass-the-Ticket	Stolen TGT or service ticket injected into a session
Pass-the-Key	RC4/AES key used directly without the plaintext password
Password Spraying	AS-REQ pre-auth failures as a low-noise enumeration oracle
User Enumeration	KDC error codes that distinguish valid from invalid usernames

Ticket Forgery

Attack	What it forges
Golden Ticket	Arbitrary TGT using the krbtgt key
Silver Ticket	Arbitrary service ticket using the target account key
Diamond Ticket	Modified legitimate TGT with a forged PAC
Sapphire Ticket	Forged TGT carrying a legitimate PAC via S4U2Self

Delegation Abuse

Attack	What it abuses
Delegation Attacks	Unconstrained, constrained, and RBCD misconfigurations
S4U2Self Abuse	Computer account S4U for local privilege escalation
SPN-jacking	Delegation redirect by moving SPNs between accounts

Development

git clone https://github.com/StrongWind1/Kerberos.git
cd Kerberos
uv sync --group docs                              # install dependencies
uv run --group docs mkdocs serve                  # live preview at http://127.0.0.1:8000
uv run --group docs mkdocs build --strict         # full build with link checking

License

Apache License 2.0