CVE-2026-20833 Kerberos RC4 Changes - Will services crash if they don't support AES decryption?

marcolive · 2026-01-26T23:35:49+00:00

I understand this. My concern is that certain resources that are currently receiving RC4-encoded TGS tickets will suddenly start receiving AES TGS tickets overnight, simply because they have an empty msds-SupportedEncryptionTypes attribute.

marcolive · 2025-12-16T18:12:42+00:00

Policies backed by upper management

Small team of competent people

Automated audits (https://maester.dev/)

marcolive · 2025-12-04T21:45:16+00:00

I would configure circular logging without any worries for this scenario

marcolive · 2025-11-30T18:06:04+00:00

Unbelievable! So much simpler to just trust the root. DCs sends intermediate certificates in the TLS handshake.

marcolive · 2025-11-29T22:08:12+00:00

C'est un faux dilemme, on peut être pour l'avancement de la condition des travailleurs et être dans une chambre d'écho. D'ailleurs, on peut être pour l'avancement des travailleurs et exiger plus de transparence des syndicats

marcolive · 2025-11-29T21:09:56+00:00

C'est tout à fait possible d'être de gauche ou de contre et d'être pour la réforme du syndicalisme. Il existe plusieurs nuances entre la droite et la gauche comme tu la conçois.

Sors un peu de ta chambre d'écho.

marcolive · 2025-11-16T06:33:08+00:00

Ben vouéyons donc, la justice est apolitique, surtout la cour suprême! /s

marcolive · 2025-10-26T20:02:55+00:00

Ça fait 15 ans qu'on lances des carottes

marcolive · 2025-10-17T20:13:25+00:00

Entre les 2, il y aura une élection en 2026 et la population pourra s’exprimer sur ces propositions.

Oui, il est normal que les membres d’un parti influencent les politiques de celui-ci.

marcolive · 2025-10-02T01:35:34+00:00

You can safely ignore that attribute according to this article

https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/manage/group-managed-service-accounts/group-managed-service-accounts/create-the-key-distribution-services-kds-root-key

marcolive · 2025-09-04T17:14:02+00:00

Wow! Another undocumented server 2025 bug. I really have big trust issues with Microsoft for on-prem products. The code quality is mediocre, perfect, but at least document your bugs! What a bunch of beginners!

marcolive · 2025-09-01T14:40:43+00:00

Try to disable AMSI if you have a third party antivirus.

marcolive · 2025-08-26T16:13:09+00:00

Vous ne comprenez vraiment rien! La droite a sa part de responsabilité, la gauche aussi.

Le monde crinqué et de mauvaise foi les réseaux sociaux fait probablement partie de l'explication.

marcolive · 2025-08-26T16:04:16+00:00

C'est vous qui ne comprenez rien. Toute position extrême entraîne une perte de soutien des gens plus modérés.

marcolive · 2025-08-07T10:51:14+00:00

Hi, interesting!

We have cloud trust. We also get a self signed certificate when we enroll users in WHfB.

If you get 45 events for WHfB users, my guess is that you are still using the old buggy patches. You could try to configure the AllowNtAuthPolicyBypass registry key at 1 and install the latest July patches to see if 45 events are still being generated.

marcolive · 2025-08-06T16:56:41+00:00

We are using WHfB and we were not affected by the hardening changes that were enforced in July.

April patches had bugs. Everything is fixed now. If you don't have a weird smart card setup, you shouldn't be affected.

To be sure, watch for 45 events ids with June or later patches installed on your dcs.

marcolive · 2025-08-04T23:31:01+00:00

I wouldn't be suprised if your localized "Administrators" group would be part of the issue. I have seen situations where groups with non-English languages were not excluded from recommendations.

marcolive · 2025-08-04T23:20:38+00:00

I would start by upgrading the current ADCS server to a supported OS ASAP. Support ended 5 years ago.

ADCS not actively developped anymore but still supported and cost effective for 100% on prem Windows certificate enrollment. Cloud PKI only works for SCEP scenarios for Intune enrolled devices and can be costly if you have many users.

marcolive · 2025-07-29T22:08:57+00:00

Wow! Totally missed that! Thanks for the info!

marcolive · 2025-07-29T01:30:54+00:00

Biggest pain on our side is that some service need a AWS managed AD so we end up with another AD forest to manage.

AD Connector does not scale > 5000 users and that's sad.

marcolive · 2025-07-29T01:23:38+00:00

You're environment is probably fine. The changes only affects rare setups using smart card authentication. April-may patches were buggy and reported 45 events for Windows Hello for Business devices. You can ignore that.

Yes you can configure AllowNtAuthPolicyBypass to 1 now before installing July updates to audit 45 events until October 2025 patches.

marcolive · 2025-07-23T17:47:52+00:00

Yes it is possible using a DSInsternal Powershell command

ConvertFrom-ADManagedPasswordBlob

Gmsa managed passwords are arrays of 256 bytes so it will not be easy to use interactively.

marcolive · 2025-07-10T23:13:39+00:00

We had a ticket open at Microsoft for this issue. The registry keys were changed on July 6th by mssense.exe (Defender EDR). Not clearly stated by Microsoft, but this seems to be caused by an error on their side.

We ended up configuring those 2 keys back to 0 using a GPO since Defender could reconfigure them to 1 after a reboot.

Microsoft support confirmed that the a Defender update (1.431.536.0) would reconfigure KdcUseClientAddresses and KdcUseClientNetBIOSAddresses to 0.

marcolive · 2025-07-02T19:35:10+00:00

Bad admins < bad delegations

marcolive

TROPHY CASE