How to find user accounts with Kerberos preauthentication disabled.
One of my duties as a Premier Field Engineer is to perform Active Directory Risk Assessments (aka ADRAP). During these risk assessments we review the configuration of key components of Active Directory to determine if there are any settings that vary from our recommended practices.
During almost every ADRAP I perform we get a message from our assessment tool indicating that one or more user accounts have Kerberos preauthentication disabled. Unfortunately the tool does not tells us which accounts. Before we discuss finding the accounts lets talk about the impact of disabling Kerberos pre-authentication.
During Kerberos authentication the Authentication Service (AS) request identifies the client to the KDC in plain text. If preauthentication is enabled, a time stamp will be encrypted using the user's password hash as an encryption key. If the KDC reads a valid time when using the user's password hash (stored in the Active Directory) to decrypt the time stamp, the KDC knows that request isn't a replay of a previous request.
The preauthentication feature may be disabled for specific users in order to support some applications that don't support the security feature. Access the user account from the Active Directory users and the computers will snap-in and select the account tab. From the account options: slide window, check mark the "Do not require Kerberos" preauthentication option (see below).
More information on Kerberos can be found in the Reference section below.
So the Kerberos preauthentication setting is part of the UserAccountControl settings for accounts in Active Directory. We can read the value of this setting from Active Directory to find these accounts. When you view the UserAccountControl setting in ADSIEDIT (decimal) or LDP (hex) you will see a number representing the different flags (e.g disabled, password never expires etc.) configured on the account. More information on UserAccountControl can be found in the Reference section below.
Searching Active Directory
There are two simple ways you can find these accounts in Active Directory. The first method involves creating a custom LDAP query in Active Directory Users & Computers (see Reference below) and using the LDAP query string below:
(&(objectCategory=person)(userAccountControl:1.2.840.113556.1.4.803:=4194304))
The second method is to use PowerShell to query Active Directory. Two examples are shown below:
get-aduser -LDAP "(&(objectCategory=person)(userAccountControl:1.2.840.113556.1.4.803:=4194304))" -properties DoesNotRequirePreAuth
get-aduser -filter * -properties DoesNotRequirePreAuth |where {$_.DoesNotRequirePreAuth -eq "TRUE"}
Reference
Kerberos Explained
https://technet.microsoft.com/en-us/library/bb742516.aspx
How to Create Custom Active Directory LDAP Searches
https://blogs.msdn.com/b/muaddib/archive/2011/10/24/active-directory-ldap-searches.aspx
How to Query Individual Properties of the "userAccountControl" Active Directory User property using LDAP
https://blogs.msdn.com/b/muaddib/archive/2008/10/08/query-individual-properties-of-the-useraccountcontrol-active-directory-user-property.aspx
How to use the UserAccountControl flags to manipulate user account properties
https://support.microsoft.com/kb/305144
Comments
- Anonymous
March 09, 2014
Rather than just target a particular UserAccountControl flag, I prefer a complete a full UserAccountControl report, which gives you all the flags: www.jhouseconsulting.com/.../script-to-create-a-report-on-useraccountcontrol-flags-1088 Cheers, Jeremy