It has become common place to consider the position of the RC4 cipher in TLS connections, but this is not something that you can take from a TLS connection (HTTPS) and assume the same for Kerberos connections. If you do disable RC4 for Kerberos then there are some things to consider, especially is you have ADFS servers in place and multiple forests that are trusted.
If RC4 is disabled in group policy and the trusted domain is Forest Functional Level 2003 then your ADFS logins across the trusts are not going to work. You need a FFL of 2008 (maybe R2) to support AES authentication across the trust (and to ensure the trust supports AES in the trust settings) before you can turn of RC4.
If you have disabled RC4 in the ADFS domain and you try and login with an account in a FFL 2003 trusted forest then Kerberos auth will fail, ADFS will be unable to read the token (the encryption type is wrong) and the fields of the SAML token are invalid. You get a lovely error in ADFS Debug logs that reads as follows (Event ID: 52):
ServiceHostManager.LogFailedAuthenticationInfo: Token of type ‘http://schemas.microsoft.com/ws/2006/05/identitymodel/tokens/UserName’ validation failed with following exception details:
System.ArgumentOutOfRangeException: Not a valid Win32 FileTime.
Parameter name: fileTime at System.DateTime.FromFileTimeUtc(Int64 fileTime) at Microsoft.IdentityServer.Service.Tokens.LsaLogonUserHelper.GetPasswordExpiryDetails(SafeLsaReturnBufferHandle profileHandle, DateTime& nextPasswordChange, DateTime& lastPasswordChange) at Microsoft.IdentityServer.Service.Tokens.LsaLogonUserHelper.GetLsaLogonUserInfo(SafeHGlobalHandle pLogonInfo, Int32 logonInfoSize, DateTime& nextPasswordChange, DateTime& lastPasswordChange, String authenticationType, String issuerName) at Microsoft.IdentityServer.Service.Tokens.LsaLogonUserHelper.GetLsaLogonUser(UserNameSecurityToken token, DateTime& nextPasswordChange, DateTime& lastPasswordChange, String issuerName) at Microsoft.IdentityServer.Service.Tokens.MSISWindowsUserNameSecurityTokenHandler.ValidateTokenInternal(SecurityToken token) at Microsoft.IdentityServer.Service.Tokens.MSISWindowsUserNameSecurityTokenHandler.ValidateToken(SecurityToken token)
The GPO setting that removes RC4 encryption needs to be enabled on the domain controllers and on the ADFS servers. This policy is found under the “Network security: Configure encryption types allowed for Kerberos” option as per https://technet.microsoft.com/en-us/library/jj852180(v=ws.11).aspx with only DES and AES.
If this is your issue, then reenable RC4 for Kerberos on the domain controllers and recreate the trust between the forests. Recreating trust after enabling RC4 in GPO meant the new password’s RC4 related keys were stored in the trust object related user account’s password. Then TGT could be decrypted and used for Kerberos successfully.
Leave a Reply