KDC has no support for PADATA type (pre-authentication data)

[sharp-shooter]

when I gettgt from a certificate ,I get error show below: python3 gettgtpkinit.py -cert-pfx ../temp/PetitPotam/host1.pfx -dc-ip 10.0.0.0.1 domain/test\$ test.ccache -v 1 ⨯ 2021-07-30 04:59:22,388 minikerberos INFO Loading certificate and key from file 2021-07-30 04:59:22,507 minikerberos INFO Requesting TGT Traceback (most recent call last): File "/home/kali/PKINITtools/gettgtpkinit.py", line 349, in main() File "/home/kali/PKINITtools/gettgtpkinit.py", line 345, in main amain(args) File "/home/kali/PKINITtools/gettgtpkinit.py", line 315, in amain res = sock.sendrecv(req) File "/usr/local/lib/python3.9/dist-packages/minikerberos-0.2.14-py3.9.egg/minikerberos/network/clientsocket.py", line 87, in sendrecv minikerberos.protocol.errors.KerberosError: Error Code: 16 Reason: KDC has no support for PADATA type (pre-authentication data)

[dirkjanm]

Does Rubeus give you the same error? This would indicate that the CA setup of the domain is not complete and the Kerberos service does not (yet) accept PKI based preauthentication.

[sharp-shooter]

Yes ,so how to resolve the issue, does this attack works?

[jsdhasfeds]

Hi. Try this "https://support.citrix.com/article/CTX218941". I got the same error and managed to solve it by removing an old certificate issued by a CA that no longer exists then issueing a new certificate using the new CA.

[jarilaos]

I share this in case someone has the same issue (KDC_ERR_PADATA_TYPE_NOSUPP) and is looking for solutions: https://github.com/AlmondOffSec/PassTheCert