{"id":2654,"date":"2021-01-22T00:31:30","date_gmt":"2021-01-21T23:31:30","guid":{"rendered":"https:\/\/azuregeek.io\/?p=2654"},"modified":"2021-01-23T01:52:40","modified_gmt":"2021-01-23T00:52:40","slug":"azure-ad-sso-absichern-und-rc4-hmac-deaktivieren","status":"publish","type":"post","link":"https:\/\/azuregeek.io\/en\/secure-azure-ad-sso-and-disable-rc4-hmac\/","title":{"rendered":"Secure Active Directory + Azure AD SSO and disable RC4-HMAC"},"content":{"rendered":"<div data-elementor-type=\"wp-post\" data-elementor-id=\"2654\" class=\"elementor elementor-2654\" data-elementor-post-type=\"post\">\n\t\t\t\t\t\t<section class=\"elementor-section elementor-top-section elementor-element elementor-element-8e1c19c elementor-section-boxed elementor-section-height-default elementor-section-height-default\" data-id=\"8e1c19c\" data-element_type=\"section\">\n\t\t\t\t\t\t<div class=\"elementor-container elementor-column-gap-default\">\n\t\t\t\t\t<div class=\"elementor-column elementor-col-100 elementor-top-column elementor-element elementor-element-d018bf7\" data-id=\"d018bf7\" data-element_type=\"column\">\n\t\t\t<div class=\"elementor-widget-wrap elementor-element-populated\">\n\t\t\t\t\t\t<div class=\"elementor-element elementor-element-afeac1e elementor-drop-cap-yes elementor-drop-cap-view-default elementor-widget elementor-widget-text-editor\" data-id=\"afeac1e\" data-element_type=\"widget\" data-settings=\"{&quot;drop_cap&quot;:&quot;yes&quot;}\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<p>RC4-HMAC has long been regarded as a\u00a0<a href=\"https:\/\/blog.qualys.com\/product-tech\/2013\/03\/19\/rc4-in-tls-is-broken-now-what\" target=\"_blank\" rel=\"noopener\">insecure and attackble<\/a>\u00a0Encryption Algorithm. If it is used in an Active Directory Domain to encrypt Kerberos tickets, there is even the risk of a <a href=\"https:\/\/blog.xpnsec.com\/kerberos-attacks-part-1\/\" target=\"_blank\" rel=\"noopener\">Kerberoasting Attack<\/a>where an attacker can take over control of service account accounts.<\/p><p>For mitigation, disabling RC4-HMAC algorithms and enabling AES128 and AES256 algorithms of Kerberos tickets has been recommended since Windows Server 2008. For some incomprehensible reason, it was not until Windows Server 2019 that Microsoft decided to disable or no longer support RC4-HMAC by default.\u00a0<\/p><p>If Azure AD Connect with Single Sign On is also used, it was not possible to disable RC4-HMAC until fall 2020 as the AES128\/AES256 algorithms were not supported. In the meantime, the more modern algorithms are supported. In this article, I explain the necessary steps for switching to the more secure AES algorithms.<\/p><p>Let's first look at how we can identify authentication operations using the RC4 HMAC algorithm. Issuing a Kerberos ticket is done according to <a href=\"https:\/\/www.manageengine.com\/products\/active-directory-audit\/how-to\/audit-kerberos-authentication-events.html\" target=\"_blank\" rel=\"noopener\">Enabling Kerberos Logging<\/a> with <b>Event ID 4769<\/b> logged in the security log on a domain controller. In the screenshot below, the following is displayed as <b>Ticket Encryption Type<\/b> the value 0x17 is specified:<\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t<section class=\"elementor-section elementor-top-section elementor-element elementor-element-87126a5 elementor-section-boxed elementor-section-height-default elementor-section-height-default\" data-id=\"87126a5\" data-element_type=\"section\">\n\t\t\t\t\t\t<div class=\"elementor-container elementor-column-gap-default\">\n\t\t\t\t\t<div class=\"elementor-column elementor-col-100 elementor-top-column elementor-element elementor-element-e5c58b5\" data-id=\"e5c58b5\" data-element_type=\"column\">\n\t\t\t<div class=\"elementor-widget-wrap elementor-element-populated\">\n\t\t\t\t\t\t<div class=\"elementor-element elementor-element-c2d6c74 elementor-widget elementor-widget-image\" data-id=\"c2d6c74\" data-element_type=\"widget\" data-widget_type=\"image.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t<img fetchpriority=\"high\" decoding=\"async\" width=\"1024\" height=\"576\" src=\"https:\/\/azuregeek.io\/wp-content\/uploads\/2021\/01\/Kerberos-RC4-HMAC-45x25.png\" class=\"attachment-large size-large wp-image-2663 lazy\" alt=\"\" data-srcset=\"https:\/\/azuregeek.io\/wp-content\/uploads\/2021\/01\/Kerberos-RC4-HMAC-1024x576.png 1024w, https:\/\/azuregeek.io\/wp-content\/uploads\/2021\/01\/Kerberos-RC4-HMAC-300x169.png 300w, https:\/\/azuregeek.io\/wp-content\/uploads\/2021\/01\/Kerberos-RC4-HMAC-768x432.png 768w, https:\/\/azuregeek.io\/wp-content\/uploads\/2021\/01\/Kerberos-RC4-HMAC-16x9.png 16w, https:\/\/azuregeek.io\/wp-content\/uploads\/2021\/01\/Kerberos-RC4-HMAC-1100x620.png 1100w, https:\/\/azuregeek.io\/wp-content\/uploads\/2021\/01\/Kerberos-RC4-HMAC-45x25.png 45w, https:\/\/azuregeek.io\/wp-content\/uploads\/2021\/01\/Kerberos-RC4-HMAC.png 1300w\" data-sizes=\"100vw\" data-width=\"1024\" data-height=\"576\" data-src=\"https:\/\/azuregeek.io\/wp-content\/uploads\/2021\/01\/Kerberos-RC4-HMAC-1024x576.png\" srcset=\"https:\/\/azuregeek.io\/wp-content\/uploads\/2021\/01\/Kerberos-RC4-HMAC-45x25.png 45w, https:\/\/azuregeek.io\/wp-content\/uploads\/2021\/01\/Kerberos-RC4-HMAC-300x169.png 300w, https:\/\/azuregeek.io\/wp-content\/uploads\/2021\/01\/Kerberos-RC4-HMAC-1024x576.png 1024w, https:\/\/azuregeek.io\/wp-content\/uploads\/2021\/01\/Kerberos-RC4-HMAC-768x432.png 768w, https:\/\/azuregeek.io\/wp-content\/uploads\/2021\/01\/Kerberos-RC4-HMAC-16x9.png 16w, https:\/\/azuregeek.io\/wp-content\/uploads\/2021\/01\/Kerberos-RC4-HMAC-1100x620.png 1100w, https:\/\/azuregeek.io\/wp-content\/uploads\/2021\/01\/Kerberos-RC4-HMAC.png 1300w\" sizes=\"(min-width: 960px) 75vw, 100vw\" \/>\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t<section class=\"elementor-section elementor-top-section elementor-element elementor-element-1584fd0 elementor-section-boxed elementor-section-height-default elementor-section-height-default\" data-id=\"1584fd0\" data-element_type=\"section\">\n\t\t\t\t\t\t<div class=\"elementor-container elementor-column-gap-default\">\n\t\t\t\t\t<div class=\"elementor-column elementor-col-100 elementor-top-column elementor-element elementor-element-dddfdd2\" data-id=\"dddfdd2\" data-element_type=\"column\">\n\t\t\t<div class=\"elementor-widget-wrap elementor-element-populated\">\n\t\t\t\t\t\t<div class=\"elementor-element elementor-element-2dbd11c elementor-widget elementor-widget-text-editor\" data-id=\"2dbd11c\" data-element_type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<p>According to the following listing, this is a Kerberos ticket encrypted with the RC4-HMAC algorithm:<\/p><ul><li>0x11 - AES128-HMAC-SHA1<\/li><li>0x12 - AES256-HMAC-SHA1<\/li><li>0x17 - RC4-HMAC<\/li><\/ul><div><p>To disable RC4-HMAC encryption, the following steps are necessary:<\/p><ol><li>Enable AES support in domain trusts (if trusts exist)<\/li><li>Enforcing AES256 for the Azure AD SSO Account in Active Directory<\/li><li>Roll-Over of the Kerberos Decryption Key (to enable SSO again)<\/li><li>Disabling RC4-HMAC via Group Policy<\/li><\/ol><\/div>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t<section class=\"elementor-section elementor-top-section elementor-element elementor-element-ca5b6a9 elementor-section-boxed elementor-section-height-default elementor-section-height-default\" data-id=\"ca5b6a9\" data-element_type=\"section\">\n\t\t\t\t\t\t<div class=\"elementor-container elementor-column-gap-default\">\n\t\t\t\t\t<div class=\"elementor-column elementor-col-100 elementor-top-column elementor-element elementor-element-f312d0f\" data-id=\"f312d0f\" data-element_type=\"column\">\n\t\t\t<div class=\"elementor-widget-wrap elementor-element-populated\">\n\t\t\t\t\t\t<div class=\"elementor-element elementor-element-25fc0a3 elementor-widget elementor-widget-heading\" data-id=\"25fc0a3\" data-element_type=\"widget\" data-widget_type=\"heading.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t<h2 class=\"elementor-heading-title elementor-size-default\">1. enable AES256 support in AD Trusts<\/h2>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t<section class=\"elementor-section elementor-top-section elementor-element elementor-element-ee4ff89 elementor-section-boxed elementor-section-height-default elementor-section-height-default\" data-id=\"ee4ff89\" data-element_type=\"section\">\n\t\t\t\t\t\t<div class=\"elementor-container elementor-column-gap-default\">\n\t\t\t\t\t<div class=\"elementor-column elementor-col-100 elementor-top-column elementor-element elementor-element-d5b1159\" data-id=\"d5b1159\" data-element_type=\"column\">\n\t\t\t<div class=\"elementor-widget-wrap elementor-element-populated\">\n\t\t\t\t\t\t<div class=\"elementor-element elementor-element-6b38a0a elementor-widget elementor-widget-text-editor\" data-id=\"6b38a0a\" data-element_type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<p>If multiple Active Directory domains are linked via trust, the RC4 algorithm is used by default for access to additional domains within the forest. Therefore, if we disable RC4-HMAC in the last step, access to additional domains within the forest is no longer possible without the subsequent change.<\/p><p>Use the following steps to enable AES256 support for domain trusts:<\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t<section class=\"elementor-section elementor-top-section elementor-element elementor-element-00d95bf elementor-section-boxed elementor-section-height-default elementor-section-height-default\" data-id=\"00d95bf\" data-element_type=\"section\">\n\t\t\t\t\t\t<div class=\"elementor-container elementor-column-gap-default\">\n\t\t\t\t\t<div class=\"elementor-column elementor-col-33 elementor-top-column elementor-element elementor-element-206049a\" data-id=\"206049a\" data-element_type=\"column\">\n\t\t\t<div class=\"elementor-widget-wrap elementor-element-populated\">\n\t\t\t\t\t\t<div class=\"elementor-element elementor-element-30aeabc elementor-view-default elementor-widget elementor-widget-icon\" data-id=\"30aeabc\" data-element_type=\"widget\" data-widget_type=\"icon.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t<div class=\"elementor-icon-wrapper\">\n\t\t\t<div class=\"elementor-icon\">\n\t\t\t<i aria-hidden=\"true\" class=\"far fa-lightbulb\"><\/i>\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t<div class=\"elementor-column elementor-col-66 elementor-top-column elementor-element elementor-element-f01763a\" data-id=\"f01763a\" data-element_type=\"column\">\n\t\t\t<div class=\"elementor-widget-wrap elementor-element-populated\">\n\t\t\t\t\t\t<div class=\"elementor-element elementor-element-4fb26f6 elementor-widget elementor-widget-text-editor\" data-id=\"4fb26f6\" data-element_type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<ol><li>Open <em>Active Directory Domains and Trusts<\/em> and navigate to the affected domain (in this example <em>contoso.com<\/em>)<\/li><li>Click on the domain with the right mouse button <em>contoso.com<\/em> and then on <em>Properties<\/em><\/li><li>Select the Trusts tab and check in the box <em>Domains that trust this domain (incoming trusts)<\/em> the corresponding partner domain with a mouse click and click again on <em>Properties<\/em><\/li><li>Activate the box <em>The other domain supports Kerberos AES Encryption\u00a0<\/em>and confirm with a click on <em>OK<\/em><\/li><li>Repeat these steps for the <em>outgoing trusts<\/em> and in the corresponding partner domain analogously.<\/li><\/ol><p><img decoding=\"async\" class=\"aligncenter wp-image-2692 lazy\" src=\"https:\/\/azuregeek.io\/wp-content\/uploads\/2021\/01\/Child-Domain-45x53.png\" alt width=\"400\" height=\"474\" data-width=\"400\" data-height=\"474\" data-src=\"https:\/\/azuregeek.io\/wp-content\/uploads\/2021\/01\/Child-Domain.png\" srcset=\"https:\/\/azuregeek.io\/wp-content\/uploads\/2021\/01\/Child-Domain-45x53.png 45w, https:\/\/azuregeek.io\/wp-content\/uploads\/2021\/01\/Child-Domain-253x300.png 253w, https:\/\/azuregeek.io\/wp-content\/uploads\/2021\/01\/Child-Domain-10x12.png 10w, https:\/\/azuregeek.io\/wp-content\/uploads\/2021\/01\/Child-Domain.png 698w\" sizes=\"(min-width: 960px) 75vw, 100vw\" \/><noscript><span class=\"placeholder-el\" data-svq-align=\"center\"><img decoding=\"async\" class=\"aligncenter wp-image-2692 lazy\" src=\"https:\/\/azuregeek.io\/wp-content\/uploads\/2021\/01\/Child-Domain-45x53.png\" alt width=\"400\" height=\"474\" data-srcset=\"https:\/\/azuregeek.io\/wp-content\/uploads\/2021\/01\/Child-Domain.png 698w, https:\/\/azuregeek.io\/wp-content\/uploads\/2021\/01\/Child-Domain-253x300.png 253w, https:\/\/azuregeek.io\/wp-content\/uploads\/2021\/01\/Child-Domain-10x12.png 10w, https:\/\/azuregeek.io\/wp-content\/uploads\/2021\/01\/Child-Domain-45x53.png 45w\" data-sizes=\"(min-width: 960px) 75vw, 100vw\" data-width=\"400\" data-height=\"474\" data-src=\"https:\/\/azuregeek.io\/wp-content\/uploads\/2021\/01\/Child-Domain.png\" style=\"height: 0; width: 400px; padding-bottom: 118.50%;\"><span class=\"svq-img-loader\"><\/span><\/span><noscript><img decoding=\"async\" class=\"aligncenter wp-image-2692\" src=\"https:\/\/azuregeek.io\/wp-content\/uploads\/2021\/01\/Child-Domain.png\" alt=\"\" width=\"400\" height=\"474\" srcset=\"https:\/\/azuregeek.io\/wp-content\/uploads\/2021\/01\/Child-Domain.png 698w, https:\/\/azuregeek.io\/wp-content\/uploads\/2021\/01\/Child-Domain-253x300.png 253w, https:\/\/azuregeek.io\/wp-content\/uploads\/2021\/01\/Child-Domain-10x12.png 10w, https:\/\/azuregeek.io\/wp-content\/uploads\/2021\/01\/Child-Domain-45x53.png 45w\" sizes=\"(min-width: 960px) 75vw, 100vw\" \/><\/noscript><\/noscript><\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t<section class=\"elementor-section elementor-top-section elementor-element elementor-element-7b72fd8 elementor-section-boxed elementor-section-height-default elementor-section-height-default\" data-id=\"7b72fd8\" data-element_type=\"section\">\n\t\t\t\t\t\t<div class=\"elementor-container elementor-column-gap-default\">\n\t\t\t\t\t<div class=\"elementor-column elementor-col-100 elementor-top-column elementor-element elementor-element-b080c94\" data-id=\"b080c94\" data-element_type=\"column\">\n\t\t\t<div class=\"elementor-widget-wrap elementor-element-populated\">\n\t\t\t\t\t\t<div class=\"elementor-element elementor-element-e6c2445 elementor-widget elementor-widget-heading\" data-id=\"e6c2445\" data-element_type=\"widget\" data-widget_type=\"heading.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t<h2 class=\"elementor-heading-title elementor-size-default\">2. enforce AES256 for Azure AD SSO<\/h2>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t<section class=\"elementor-section elementor-top-section elementor-element elementor-element-fa36a75 elementor-section-boxed elementor-section-height-default elementor-section-height-default\" data-id=\"fa36a75\" data-element_type=\"section\">\n\t\t\t\t\t\t<div class=\"elementor-container elementor-column-gap-default\">\n\t\t\t\t\t<div class=\"elementor-column elementor-col-100 elementor-top-column elementor-element elementor-element-0b5d3c2\" data-id=\"0b5d3c2\" data-element_type=\"column\">\n\t\t\t<div class=\"elementor-widget-wrap elementor-element-populated\">\n\t\t\t\t\t\t<div class=\"elementor-element elementor-element-d91ea45 elementor-widget elementor-widget-text-editor\" data-id=\"d91ea45\" data-element_type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<p>To make the switch to AES256 as non-disruptive as possible, we explicitly enforce AES256 on the Azure AD SSO account before globally disabling RC4-HMAC via group policy.<\/p><p>Use the following steps to enforce AES256 for the Azure AD SSO account:<\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t<section class=\"elementor-section elementor-top-section elementor-element elementor-element-70a5de0 elementor-section-boxed elementor-section-height-default elementor-section-height-default\" data-id=\"70a5de0\" data-element_type=\"section\">\n\t\t\t\t\t\t<div class=\"elementor-container elementor-column-gap-default\">\n\t\t\t\t\t<div class=\"elementor-column elementor-col-33 elementor-top-column elementor-element elementor-element-2bd3d8c\" data-id=\"2bd3d8c\" data-element_type=\"column\">\n\t\t\t<div class=\"elementor-widget-wrap elementor-element-populated\">\n\t\t\t\t\t\t<div class=\"elementor-element elementor-element-e153c0b elementor-view-default elementor-widget elementor-widget-icon\" data-id=\"e153c0b\" data-element_type=\"widget\" data-widget_type=\"icon.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t<div class=\"elementor-icon-wrapper\">\n\t\t\t<div class=\"elementor-icon\">\n\t\t\t<i aria-hidden=\"true\" class=\"far fa-lightbulb\"><\/i>\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t<div class=\"elementor-column elementor-col-66 elementor-top-column elementor-element elementor-element-929bcb9\" data-id=\"929bcb9\" data-element_type=\"column\">\n\t\t\t<div class=\"elementor-widget-wrap elementor-element-populated\">\n\t\t\t\t\t\t<div class=\"elementor-element elementor-element-ebedefd elementor-widget elementor-widget-text-editor\" data-id=\"ebedefd\" data-element_type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<ol><li>Open Active Directory Users and Computers and activate the <em>Advanced Features<\/em> in the menu bar under the item <em>View<\/em><\/li><li>Navigate to the OU where the AZUREADSSOACC object is located and open it with a double click.<\/li><li>Click on the Attribute Editor tab and navigate to the entry <em>msDS-SupportedEncryptionTypes<\/em><\/li><li>Set the value for the entry <em>16<\/em> and confirm with <em>OK<\/em><\/li><\/ol><p><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter wp-image-2697 lazy\" src=\"https:\/\/azuregeek.io\/wp-content\/uploads\/2021\/01\/AZUREADSSOACC-EcnryptionTypes-45x54.png\" alt width=\"400\" height=\"480\" data-width=\"400\" data-height=\"480\" data-src=\"https:\/\/azuregeek.io\/wp-content\/uploads\/2021\/01\/AZUREADSSOACC-EcnryptionTypes.png\" srcset=\"https:\/\/azuregeek.io\/wp-content\/uploads\/2021\/01\/AZUREADSSOACC-EcnryptionTypes-45x54.png 45w, https:\/\/azuregeek.io\/wp-content\/uploads\/2021\/01\/AZUREADSSOACC-EcnryptionTypes-250x300.png 250w, https:\/\/azuregeek.io\/wp-content\/uploads\/2021\/01\/AZUREADSSOACC-EcnryptionTypes-10x12.png 10w, https:\/\/azuregeek.io\/wp-content\/uploads\/2021\/01\/AZUREADSSOACC-EcnryptionTypes.png 464w\" sizes=\"(min-width: 960px) 75vw, 100vw\" \/><noscript><span class=\"placeholder-el\" data-svq-align=\"center\"><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter wp-image-2697 lazy\" src=\"https:\/\/azuregeek.io\/wp-content\/uploads\/2021\/01\/AZUREADSSOACC-EcnryptionTypes-45x54.png\" alt width=\"400\" height=\"480\" data-srcset=\"https:\/\/azuregeek.io\/wp-content\/uploads\/2021\/01\/AZUREADSSOACC-EcnryptionTypes.png 464w, https:\/\/azuregeek.io\/wp-content\/uploads\/2021\/01\/AZUREADSSOACC-EcnryptionTypes-250x300.png 250w, https:\/\/azuregeek.io\/wp-content\/uploads\/2021\/01\/AZUREADSSOACC-EcnryptionTypes-10x12.png 10w, https:\/\/azuregeek.io\/wp-content\/uploads\/2021\/01\/AZUREADSSOACC-EcnryptionTypes-45x54.png 45w\" data-sizes=\"(min-width: 960px) 75vw, 100vw\" data-width=\"400\" data-height=\"480\" data-src=\"https:\/\/azuregeek.io\/wp-content\/uploads\/2021\/01\/AZUREADSSOACC-EcnryptionTypes.png\" style=\"height: 0; width: 400px; padding-bottom: 120.00%;\"><span class=\"svq-img-loader\"><\/span><\/span><noscript><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter wp-image-2697\" src=\"https:\/\/azuregeek.io\/wp-content\/uploads\/2021\/01\/AZUREADSSOACC-EcnryptionTypes.png\" alt=\"\" width=\"400\" height=\"480\" srcset=\"https:\/\/azuregeek.io\/wp-content\/uploads\/2021\/01\/AZUREADSSOACC-EcnryptionTypes.png 464w, https:\/\/azuregeek.io\/wp-content\/uploads\/2021\/01\/AZUREADSSOACC-EcnryptionTypes-250x300.png 250w, https:\/\/azuregeek.io\/wp-content\/uploads\/2021\/01\/AZUREADSSOACC-EcnryptionTypes-10x12.png 10w, https:\/\/azuregeek.io\/wp-content\/uploads\/2021\/01\/AZUREADSSOACC-EcnryptionTypes-45x54.png 45w\" sizes=\"(min-width: 960px) 75vw, 100vw\" \/><\/noscript><\/noscript><\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t<section class=\"elementor-section elementor-top-section elementor-element elementor-element-5f23e91 elementor-section-boxed elementor-section-height-default elementor-section-height-default\" data-id=\"5f23e91\" data-element_type=\"section\">\n\t\t\t\t\t\t<div class=\"elementor-container elementor-column-gap-default\">\n\t\t\t\t\t<div class=\"elementor-column elementor-col-100 elementor-top-column elementor-element elementor-element-abd7fc5\" data-id=\"abd7fc5\" data-element_type=\"column\">\n\t\t\t<div class=\"elementor-widget-wrap elementor-element-populated\">\n\t\t\t\t\t\t<div class=\"elementor-element elementor-element-b66dfe8 elementor-widget elementor-widget-heading\" data-id=\"b66dfe8\" data-element_type=\"widget\" data-widget_type=\"heading.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t<h2 class=\"elementor-heading-title elementor-size-default\">3. rollover of the SSO decryption key<\/h2>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t<section class=\"elementor-section elementor-top-section elementor-element elementor-element-eb8b1be elementor-section-boxed elementor-section-height-default elementor-section-height-default\" data-id=\"eb8b1be\" data-element_type=\"section\">\n\t\t\t\t\t\t<div class=\"elementor-container elementor-column-gap-default\">\n\t\t\t\t\t<div class=\"elementor-column elementor-col-100 elementor-top-column elementor-element elementor-element-916f33c\" data-id=\"916f33c\" data-element_type=\"column\">\n\t\t\t<div class=\"elementor-widget-wrap elementor-element-populated\">\n\t\t\t\t\t\t<div class=\"elementor-element elementor-element-0063a0a elementor-widget elementor-widget-text-editor\" data-id=\"0063a0a\" data-element_type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<p>After enforcing AES256 for the Azure AD SSO account, we need to renew the Kerberos Decryption Key in Azure AD to ensure that SSO continues to work.<\/p><p>The rollover of the SSO decryption key is done with a few steps. Since there are already extensive and very good instructions for this, I have refrained from creating another tutorial \ud83d\ude42 This tutorial is in my opinion one of the best and most understandable:\u00a0<a href=\"https:\/\/azurecloudai.blog\/2020\/08\/03\/roll-over-kerberos-decryption-key-for-seamless-sso-computer-account\/\" target=\"_blank\" rel=\"noopener\">Roll over Kerberos decryption key for Seamless SSO computer account - Azure Cloud &amp; AI Blog<\/a><\/p><h5>Side Note: Securing the Azure AD SSO Account<\/h5><p>When you set up SSO, Azure AD Connect automatically creates a computer account (\"AZUREADSSOACC\"). This account represents the Azure AD in Active Directory.<\/p><p><em>This is how a login via SSO works:<\/em> The user's browser requests a Kerberos ticket for the AZUREADSSOACC account. Upon a successful login, a Kerberos ticket is issued by a domain controller for that computer account and sent to the browser. The browser then logs in to Azure AD using the Kerberos ticket.<\/p><p>Since all login operations are performed via the AZUREADSSOACC account, it is classified as extremely sensitive. If this account is successfully attacked, the attacker can gain access to the resources of users who log on via SSO. For this reason, Microsoft recommends <strong>rollover the Kerberos Decryption Key every 30 days!<\/strong><\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t<section class=\"elementor-section elementor-top-section elementor-element elementor-element-4f2093b elementor-section-boxed elementor-section-height-default elementor-section-height-default\" data-id=\"4f2093b\" data-element_type=\"section\">\n\t\t\t\t\t\t<div class=\"elementor-container elementor-column-gap-default\">\n\t\t\t\t\t<div class=\"elementor-column elementor-col-100 elementor-top-column elementor-element elementor-element-f270a57\" data-id=\"f270a57\" data-element_type=\"column\">\n\t\t\t<div class=\"elementor-widget-wrap elementor-element-populated\">\n\t\t\t\t\t\t<div class=\"elementor-element elementor-element-51b391d elementor-widget elementor-widget-heading\" data-id=\"51b391d\" data-element_type=\"widget\" data-widget_type=\"heading.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t<h2 class=\"elementor-heading-title elementor-size-default\">4. disable RC4-HMAC via GPO<\/h2>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t<section class=\"elementor-section elementor-top-section elementor-element elementor-element-f2424aa elementor-section-boxed elementor-section-height-default elementor-section-height-default\" data-id=\"f2424aa\" data-element_type=\"section\">\n\t\t\t\t\t\t<div class=\"elementor-container elementor-column-gap-default\">\n\t\t\t\t\t<div class=\"elementor-column elementor-col-100 elementor-top-column elementor-element elementor-element-bb93fa3\" data-id=\"bb93fa3\" data-element_type=\"column\">\n\t\t\t<div class=\"elementor-widget-wrap elementor-element-populated\">\n\t\t\t\t\t\t<div class=\"elementor-element elementor-element-c0b0a11 elementor-widget elementor-widget-text-editor\" data-id=\"c0b0a11\" data-element_type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<p>We have now completed all preparations and can finally get rid of RC4-HMAC with the help of a group policy!<\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t<section class=\"elementor-section elementor-top-section elementor-element elementor-element-4818c1e elementor-section-boxed elementor-section-height-default elementor-section-height-default\" data-id=\"4818c1e\" data-element_type=\"section\">\n\t\t\t\t\t\t<div class=\"elementor-container elementor-column-gap-default\">\n\t\t\t\t\t<div class=\"elementor-column elementor-col-33 elementor-top-column elementor-element elementor-element-446d031\" data-id=\"446d031\" data-element_type=\"column\">\n\t\t\t<div class=\"elementor-widget-wrap elementor-element-populated\">\n\t\t\t\t\t\t<div class=\"elementor-element elementor-element-c9e0466 elementor-view-default elementor-widget elementor-widget-icon\" data-id=\"c9e0466\" data-element_type=\"widget\" data-widget_type=\"icon.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t<div class=\"elementor-icon-wrapper\">\n\t\t\t<div class=\"elementor-icon\">\n\t\t\t<i aria-hidden=\"true\" class=\"far fa-lightbulb\"><\/i>\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t<div class=\"elementor-column elementor-col-66 elementor-top-column elementor-element elementor-element-bdfdb96\" data-id=\"bdfdb96\" data-element_type=\"column\">\n\t\t\t<div class=\"elementor-widget-wrap elementor-element-populated\">\n\t\t\t\t\t\t<div class=\"elementor-element elementor-element-18b00d1 elementor-widget elementor-widget-text-editor\" data-id=\"18b00d1\" data-element_type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<ol><li>Open the <em>Group Policy Management (gpmc.msc)<\/em> and navigate to <em>Group Policy Objects<\/em><\/li><li>The following changes should be made in a Group Policy that is applied to all computer objects in the domain.\u00a0<\/li><li>Open the desired group policy object by right-clicking on it and clicking on <em>Edit<\/em><\/li><li>Navigate to <em>Computer Configuration -&gt; Policies -&gt; Windows Settings -&gt; Security Settings -&gt; Local Policies -&gt; Security Options<\/em><\/li><li>Open the policy <em>Network security: Configure encryption types allowed for Kerberos<\/em><\/li><li>Deactivate the following entries and confirm with a click on <em>OK<\/em>:<ol><li>DES_CBC_CRC<\/li><li>DES_CBC_MD5<\/li><li>RC4_HMAC_MD5<\/li><\/ol><\/li><\/ol><p><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-full wp-image-2701 lazy\" src=\"https:\/\/azuregeek.io\/wp-content\/uploads\/2021\/01\/EcnryptionTypesAllowedForKerberos-45x40.png\" alt width=\"785\" height=\"699\" data-width=\"785\" data-height=\"699\" data-src=\"https:\/\/azuregeek.io\/wp-content\/uploads\/2021\/01\/EcnryptionTypesAllowedForKerberos.png\" srcset=\"https:\/\/azuregeek.io\/wp-content\/uploads\/2021\/01\/EcnryptionTypesAllowedForKerberos-45x40.png 45w, https:\/\/azuregeek.io\/wp-content\/uploads\/2021\/01\/EcnryptionTypesAllowedForKerberos-300x267.png 300w, https:\/\/azuregeek.io\/wp-content\/uploads\/2021\/01\/EcnryptionTypesAllowedForKerberos-768x684.png 768w, https:\/\/azuregeek.io\/wp-content\/uploads\/2021\/01\/EcnryptionTypesAllowedForKerberos-13x12.png 13w, https:\/\/azuregeek.io\/wp-content\/uploads\/2021\/01\/EcnryptionTypesAllowedForKerberos.png 785w\" sizes=\"(min-width: 960px) 75vw, 100vw\" \/><noscript><span class=\"placeholder-el\" data-svq-align=\"center\"><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-full wp-image-2701 lazy\" src=\"https:\/\/azuregeek.io\/wp-content\/uploads\/2021\/01\/EcnryptionTypesAllowedForKerberos-45x40.png\" alt width=\"785\" height=\"699\" data-srcset=\"https:\/\/azuregeek.io\/wp-content\/uploads\/2021\/01\/EcnryptionTypesAllowedForKerberos.png 785w, https:\/\/azuregeek.io\/wp-content\/uploads\/2021\/01\/EcnryptionTypesAllowedForKerberos-300x267.png 300w, https:\/\/azuregeek.io\/wp-content\/uploads\/2021\/01\/EcnryptionTypesAllowedForKerberos-768x684.png 768w, https:\/\/azuregeek.io\/wp-content\/uploads\/2021\/01\/EcnryptionTypesAllowedForKerberos-13x12.png 13w, https:\/\/azuregeek.io\/wp-content\/uploads\/2021\/01\/EcnryptionTypesAllowedForKerberos-45x40.png 45w\" data-sizes=\"(min-width: 960px) 75vw, 100vw\" data-width=\"785\" data-height=\"699\" data-src=\"https:\/\/azuregeek.io\/wp-content\/uploads\/2021\/01\/EcnryptionTypesAllowedForKerberos.png\" style=\"height: 0; width: 785px; padding-bottom: 89.04%;\"><span class=\"svq-img-loader\"><\/span><\/span><noscript><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-full wp-image-2701\" src=\"https:\/\/azuregeek.io\/wp-content\/uploads\/2021\/01\/EcnryptionTypesAllowedForKerberos.png\" alt=\"\" width=\"785\" height=\"699\" srcset=\"https:\/\/azuregeek.io\/wp-content\/uploads\/2021\/01\/EcnryptionTypesAllowedForKerberos.png 785w, https:\/\/azuregeek.io\/wp-content\/uploads\/2021\/01\/EcnryptionTypesAllowedForKerberos-300x267.png 300w, https:\/\/azuregeek.io\/wp-content\/uploads\/2021\/01\/EcnryptionTypesAllowedForKerberos-768x684.png 768w, https:\/\/azuregeek.io\/wp-content\/uploads\/2021\/01\/EcnryptionTypesAllowedForKerberos-13x12.png 13w, https:\/\/azuregeek.io\/wp-content\/uploads\/2021\/01\/EcnryptionTypesAllowedForKerberos-45x40.png 45w\" sizes=\"(min-width: 960px) 75vw, 100vw\" \/><\/noscript><\/noscript><\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t<section class=\"elementor-section elementor-top-section elementor-element elementor-element-c0e4c5f elementor-section-boxed elementor-section-height-default elementor-section-height-default\" data-id=\"c0e4c5f\" data-element_type=\"section\">\n\t\t\t\t\t\t<div class=\"elementor-container elementor-column-gap-default\">\n\t\t\t\t\t<div class=\"elementor-column elementor-col-100 elementor-top-column elementor-element elementor-element-be07136\" data-id=\"be07136\" data-element_type=\"column\">\n\t\t\t<div class=\"elementor-widget-wrap elementor-element-populated\">\n\t\t\t\t\t\t<div class=\"elementor-element elementor-element-96c82fd elementor-widget elementor-widget-text-editor\" data-id=\"96c82fd\" data-element_type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<p>Now that you have completed all the work and all Domain Controllers have applied the new policy setting, you will see in the Security Log that only AES256 (or AES128) Kerberos tickets are being issued:<\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t<section class=\"elementor-section elementor-top-section elementor-element elementor-element-c0fe5fd elementor-section-boxed elementor-section-height-default elementor-section-height-default\" data-id=\"c0fe5fd\" data-element_type=\"section\">\n\t\t\t\t\t\t<div class=\"elementor-container elementor-column-gap-default\">\n\t\t\t\t\t<div class=\"elementor-column elementor-col-100 elementor-top-column elementor-element elementor-element-c12e6b2\" data-id=\"c12e6b2\" data-element_type=\"column\">\n\t\t\t<div class=\"elementor-widget-wrap elementor-element-populated\">\n\t\t\t\t\t\t<div class=\"elementor-element elementor-element-f0dcb7e elementor-widget elementor-widget-image\" data-id=\"f0dcb7e\" data-element_type=\"widget\" data-widget_type=\"image.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t<img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"559\" src=\"https:\/\/azuregeek.io\/wp-content\/uploads\/2021\/01\/Kerberos-AES256-45x25.png\" class=\"attachment-large size-large wp-image-2691 lazy\" alt=\"\" data-srcset=\"https:\/\/azuregeek.io\/wp-content\/uploads\/2021\/01\/Kerberos-AES256-1024x559.png 1024w, https:\/\/azuregeek.io\/wp-content\/uploads\/2021\/01\/Kerberos-AES256-300x164.png 300w, https:\/\/azuregeek.io\/wp-content\/uploads\/2021\/01\/Kerberos-AES256-768x419.png 768w, https:\/\/azuregeek.io\/wp-content\/uploads\/2021\/01\/Kerberos-AES256-16x9.png 16w, https:\/\/azuregeek.io\/wp-content\/uploads\/2021\/01\/Kerberos-AES256-45x25.png 45w, https:\/\/azuregeek.io\/wp-content\/uploads\/2021\/01\/Kerberos-AES256.png 1293w\" data-sizes=\"100vw\" data-width=\"1024\" data-height=\"559\" data-src=\"https:\/\/azuregeek.io\/wp-content\/uploads\/2021\/01\/Kerberos-AES256-1024x559.png\" srcset=\"https:\/\/azuregeek.io\/wp-content\/uploads\/2021\/01\/Kerberos-AES256-45x25.png 45w, https:\/\/azuregeek.io\/wp-content\/uploads\/2021\/01\/Kerberos-AES256-300x164.png 300w, https:\/\/azuregeek.io\/wp-content\/uploads\/2021\/01\/Kerberos-AES256-1024x559.png 1024w, https:\/\/azuregeek.io\/wp-content\/uploads\/2021\/01\/Kerberos-AES256-768x419.png 768w, https:\/\/azuregeek.io\/wp-content\/uploads\/2021\/01\/Kerberos-AES256-16x9.png 16w, https:\/\/azuregeek.io\/wp-content\/uploads\/2021\/01\/Kerberos-AES256.png 1293w\" sizes=\"(min-width: 960px) 75vw, 100vw\" \/>\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t<section class=\"elementor-section elementor-top-section elementor-element elementor-element-8462236 elementor-section-boxed elementor-section-height-default elementor-section-height-default\" data-id=\"8462236\" data-element_type=\"section\">\n\t\t\t\t\t\t<div class=\"elementor-container elementor-column-gap-default\">\n\t\t\t\t\t<div class=\"elementor-column elementor-col-100 elementor-top-column elementor-element elementor-element-8473b3e\" data-id=\"8473b3e\" data-element_type=\"column\">\n\t\t\t<div class=\"elementor-widget-wrap elementor-element-populated\">\n\t\t\t\t\t\t<div class=\"elementor-element elementor-element-380ef47 elementor-widget elementor-widget-text-editor\" data-id=\"380ef47\" data-element_type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\tI hope this blog post has been helpful to you and I look forward to your comment! Sign up for my newsletter on the right to not miss any new posts about Azure Security and Automation \ud83d\ude00\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t<\/div>","protected":false},"excerpt":{"rendered":"<p>The insecure encryption RC4-HMAC is an old Active Directory hat - and unfortunately still relevant. In this post, I explain how to securely disable RC4-HMAC in environments with Azure AD Connect and Single Sign On.<\/p>","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[],"_links":{"self":[{"href":"https:\/\/azuregeek.io\/en\/wp-json\/wp\/v2\/posts\/2654"}],"collection":[{"href":"https:\/\/azuregeek.io\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/azuregeek.io\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/azuregeek.io\/en\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/azuregeek.io\/en\/wp-json\/wp\/v2\/comments?post=2654"}],"version-history":[{"count":59,"href":"https:\/\/azuregeek.io\/en\/wp-json\/wp\/v2\/posts\/2654\/revisions"}],"predecessor-version":[{"id":2730,"href":"https:\/\/azuregeek.io\/en\/wp-json\/wp\/v2\/posts\/2654\/revisions\/2730"}],"wp:attachment":[{"href":"https:\/\/azuregeek.io\/en\/wp-json\/wp\/v2\/media?parent=2654"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/azuregeek.io\/en\/wp-json\/wp\/v2\/categories?post=2654"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/azuregeek.io\/en\/wp-json\/wp\/v2\/tags?post=2654"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}