KDC has no support for PADATA type (pre-authentication data) KDC_ERR_PADATA_TYPE_NOSUPP

GhostPack / Rubeus

Trying to tame the three-headed dog.

Other

4.03k stars 775 forks source link

KDC has no support for PADATA type (pre-authentication data) KDC_ERR_PADATA_TYPE_NOSUPP #86

Closed sharp-shooter closed 3 years ago

sharp-shooter commented 3 years ago

get error of 'KDC has no support for PADATA type (pre-authentication data)' when I asktgt from a certificate

Rubeus.exe asktgt /user:dc$ /certificate:C:\host1.pfx /createnetonly:C:\Windows\System32\cmd.exe /show /domain:domain.local /dc:10.0.0.1

( \ | | ) ) | | ____ | /| | | | | | | | |/) | | \ | || | |) ) ____| || | | || ||/|/|)_/(/

v1.6.4

[*] Action: Ask TGT

[*] Showing process : True [+] Process : 'C:\Windows\System32\cmd.exe' successfully created with LOGON_TYPE = 9 [+] ProcessID : 4128 [+] LUID : 0x822bf2

[] Using PKINIT with etype rc4_hmac and subject: CN=dc.domain.local [] Building AS-REQ (w/ PKINIT preauth) for: 'domain.local\dc$' [*] Target LUID : 8530930

[X] KRB-ERROR (16) : KDC_ERR_PADATA_TYPE_NOSUPP

0xe7 commented 3 years ago

PADATA_TYPE_NOSUPP normally means that authentication type isn't supported, are you sure that DC supports PKINIT authentication?

JBalanza commented 3 years ago

How it can be checked? is there any command or tool to check if DC allows PKINIT?

HarmJ0y commented 3 years ago

According to https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4771 : Smart card logon is being attempted and the proper certificate cannot be located. This problem can happen because the wrong certification authority (CA) is being queried or the proper CA cannot be contacted in order to get Domain Controller or Domain Controller Authentication certificates for the domain controller. It can also happen when a domain controller doesn’t have a certificate installed for smart cards (Domain Controller or Domain Controller Authentication templates).

You can use [Certify's] ca command to check if the CA's certificate is present in NTAuthCertificates. As far as the DCs having the proper certificate installed, I'm not sure how (of if you can) check that. I'm going to close this for now as it's an environmental config issue.

xxSoloxx commented 2 years ago

Hello, i have the same issue. How can i request a certificate for my KDC? When i logged in the ca console, and looked in the panel "certificate that has been delivered", i didn't see any certificate for my KDC. I'm using a 2019 server.

HerrHozi commented 1 year ago

I had the same problem.

After I run "Request New Certificate ..." on the corresponding DC, the following command was successful

.\Rubeus.exe asktgt /user:DA-HERRHOZI /certificate:.\da-herrhozi.pfx /ppt

2023-09-01_171857