search

ly4k / Certipy

Tool for Active Directory Certificate Services enumeration and abuse
MIT License
2.31k stars 315 forks source link

ESC4 EKU KDC_ERR_INCONSISTENT_KEY_PURPOSE #92

Open T3KX opened 1 year ago

T3KX commented 1 year ago

Hi, I have an ESC4 that I downgrade using certipy4 template options. After the request , when i use the auth option i get this error : "Got error while trying to request TGT: Kerberos SessionError: KDC_ERR_INCONSISTENT_KEY_PURPOSE(Certificate cannot be used for PKINIT client authentication)" Is having ESC4 enough to patch the EKU ?

Before the template change, the EKU was: Extended Key Usage : Server Authentication

After the template change, the EKU is not there Extended Key Usage if gone from the template.

Thanks.

T3KX commented 1 year ago

Not sure whats going on , I revert it and change the following properties manually using https://github.com/fortalice/modifyCertTemplate

pKIExtendedKeyUsage: Client Authentication, Server Authentication msPKI-Certificate-Application-Policy: Client Authentication, Server Authentication

but i still have the same error. : KDC_ERR_INCONSISTENT_KEY_PURPOSE(Certificate cannot be used for PKINIT client authentication)"

Zamanry commented 1 year ago

So I was able to get this attack to work by using modifyCertTemplate and waiting like 5 minutes-ish (1x CA environment). I also modified the pKIExtendedKeyUsage and msPKI-Certificate-Application-Policy to be identical. You could also just try implementing the Any Purpose EKU instead of Client Authentication to cover more oddities.

Even for reverting the changes, I noticed there was a time delay. This is all anecdotal evidence, but resolved my issue here

helloyw commented 8 months ago

So I was able to get this attack to work by using modifyCertTemplate and waiting like 5 minutes-ish (1x CA environment). I also modified the pKIExtendedKeyUsage and msPKI-Certificate-Application-Policy to be identical. You could also just try implementing the Any Purpose EKU instead of Client Authentication to cover more oddities.

Even for reverting the changes, I noticed there was a time delay. This is all anecdotal evidence, but resolved my issue here

Could you please solve this error through the above method: KDC_ERR_INCONSISTENT_KEY_PURPOSE, looking forward to your reply