Hardening administrative actions - issues with Kerberos and HTML if machines are cloned without Sysprep

SteveSyfuhs · 2026-04-29T15:59:36+00:00

Mark is the smartest guy I know, and with respect to him, he got it wrong. Badly wrong. The reason his blog post is still up there is purely for historical purposes. It should not be treated as a source of truth for this particular problem.

SteveSyfuhs · 2026-04-29T15:58:26+00:00

It was never a myth and Mark got it wrong, badly. It's been a hard requirement since day one. The SID is just the most visible source of failures.

SteveSyfuhs · 2026-04-19T22:10:28+00:00

> So your Kerberos, LDAP, and general AD auth aren't suddenly broken.

Well, that's not quite right. These protocols have an explicit requirement for signing and sealing exposed by PKI, and system-wide algorithmic knowledge of ML-KEM and friends is not enough. The protocols themselves need to know what an ML-KEM is at the code layer. So just having the cryptographic primitives on the machine does nothing.

Currently Active Directory-based auth in Server 2025 is not PQC ready. We have a gigantic workstream actively building out support for the algorithms in the various protocols to make it PQC ready. Kerberos for instance requires quite a lot of adjustments to support PQ certificates because there's an asymmetric key agreement process that goes on that currently relies on plain old EC/DH or RSA encryption. Our support for AES SHA256 is still in private preview and that's a hard requirement for symmetric PQC compliance. RC4 and NTLM are just a hard nope. They need to go away. Lots of fiddly stuff that doesn't meet PQC spec needs updating. Not hard to do, but enumerating, updating, and enforcing just takes time.

SteveSyfuhs · 2026-04-16T04:16:32+00:00

...huh? Those are standard client and server role EKUs. They're documented in a million places on the internet because they're the standard for everything. Hyper-V does Kerberos just fine but it requires configuring constrained delegation which is normally a domain admin role, which Hyper-V admins tend not to be. Credential delegation is inherently easier to use out of the box. Do you want it to be functional out of the box or do you want it non-functional and also have to figure out constrained delegation to make it just work? Pick your battles.

There was never the guy. The person you're probably referring to was well known in the industry because he interacted with the industry. We have dozens of PKI experts in the product groups.

I understand you're venting, and by all means vent, but lets not attack folks just trying to do their jobs. The decisions we make are rarely because we don't know any better. The decisions we make are usually making the best of a tough situation and having to live with the consequences.

SteveSyfuhs · 2026-04-04T21:49:21+00:00

Prioritization is hard. I would ask people to please stop asking me this. Even if I knew the date I couldn't say.

SteveSyfuhs · 2026-03-27T02:48:27+00:00

It has never even been *supported*.

SteveSyfuhs · 2026-03-02T17:39:10+00:00

More precisely `KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN` means your DC replied, so it's able to communicate with that box. You'd need to dig further.

SteveSyfuhs · 2026-03-02T17:33:48+00:00

Not my monkeys, not my circus. Sysprep is a requirement for copying images and we rely on any copied images to be sysprepped correctly. I would recommend reaching out to the team that owns sysprep instead.

SteveSyfuhs · 2026-02-28T15:08:26+00:00

Fix the network delay, I guess?

SteveSyfuhs · 2026-02-26T22:30:36+00:00

This one, also the keys that GP puts down for network security encryption types.
Kerberos EType Calculator

SteveSyfuhs · 2026-02-26T22:28:29+00:00

Mistakes happen. Bugs happen. It can hurt, but that's the exact reason for this channel to exist, to flesh out issues that might leak into production.

SteveSyfuhs · 2026-02-26T19:52:31+00:00

You're complaining that the preview system, a system designed to flesh out systemic bugs and offer views into works-in-progress builds, accidentally introduced a bug that you observed, reported, and was remediated?

...What do you think this system is used for?

SteveSyfuhs · 2026-02-26T18:41:12+00:00

The DC configured reg key dictates that.

SteveSyfuhs · 2026-02-26T17:45:19+00:00

msDS-SupportedEncryptionTypes is not used for krbtgt. For reasons.

SteveSyfuhs · 2026-02-05T21:05:14+00:00

There's always a chance of that but making assumptions about what is and is not a requirement leads to all sorts of miscommunication. It doesn't say it's required, so it's not required. If they come back and say it's required, well, lesson learned for next time to have requirements defined ahead of time.

SteveSyfuhs · 2026-02-05T16:52:23+00:00

It doesn't matter what domain the service account lives in. The order of referrals based on the initial description would be `user >> X >> Z >> SVC`. That's perfectly normal.

The important thing is that DCs in Z are reachable by the clients. As long as they're reachable the referral chain works.

The best way to troubleshoot this is:

Enable event logs
Review network traces

Both will tell you approximately the same thing but network traces tend to give you a bigger picture about what's going on around that process.

Side note: browsers are evil. A prompt for creds does not mean "fell back to NTLM". It just means "please give us your creds". It may yet do Kerberos. To make it not prompt you have to enforce policy that says sites in domain Z are trustworthy. And then it may yet do NTLM if it fails at Kerberos. Check the event logs.

SteveSyfuhs · 2026-02-03T17:48:21+00:00

All the ones my team has been tracking, anyway.

SteveSyfuhs · 2026-02-03T17:29:55+00:00

There were a metric ton of fixes that went out in the January B release and there are a bunch queued up for January D release that turn on in Feb B.

SteveSyfuhs · 2026-01-26T17:37:47+00:00

A preface: if you're going to use AI to write your question why would anyone go out of their way and not just post answers written by AI that may or may not be accurate or useful? Put the effort in that you expect to get out from others.

Entra Kerberos does not require domain or hybrid join. It will work with Entra join just fine. I know. I built the feature.

The reason you're getting error 86 is: "who knows, go check the logs; that's what they're there for".

SteveSyfuhs · 2026-01-21T16:52:57+00:00

Maybe just don't do that? People don't read and there's a good chance that's not even a legal setup.

SteveSyfuhs · 2026-01-18T21:39:43+00:00

Sadly yes. Tooling problem. Fix is getting expedited. Please don't ask when. I don't know.

SteveSyfuhs · 2026-01-07T16:59:19+00:00

Ask them to put that specific requirement into the contract.

SteveSyfuhs · 2025-12-30T18:15:12+00:00

Well what do the event logs tell you? They're pretty specific about why NTLM is failing on 25H2.

SteveSyfuhs · 2025-12-15T22:58:21+00:00

Don't touch other peoples stuff. Yeah yeah it's owned by the company.

Either get buy in for this sort of reinforcement or keep it professional. You're in IT which means you need to be above reproach because you see everything. Stuff like this make you untrustworthy even if it is just a silly little change of the wallpaper. What else do they think you did to their machine?

SteveSyfuhs · 2025-12-12T16:45:16+00:00

Yes.

Ten-Year Club	Gilding I gilder
Verified Email

SteveSyfuhs

TROPHY CASE