
Explore how Kerberos authenticates users with a username and password hash to issue a 10-hour TGT stored locally, then obtain a service ticket from the KDC.
Explore Kerberos terminology: user and service principals. See how Kerberos key distribution center authenticates clients, issues ticket granting tickets and service tickets, and handles SPNs, UPNs, and the KRBTGT account.
Explore how Kerberos uses short-term and long-term keys, user, system, and service keys, and how session keys and tickets, as TGTs and service tickets, enable authentication across trusted domains.
Explore Kerberos messages, tickets, and encryption algorithms between clients, KDC, and services, including nonce and session keys. Understand how delegation, pre-authentication data, and pac validation influence authentication in Windows domains.
Discover how a Windows domain user accesses a Kerberos-enabled website through DNS A record, SPN, and a service account, exchanging TGTs and service tickets for mutual authentication.
Configure Kerberos for Exchange clients by associating an SPN with the Client Access Service, enabling Kerberos in virtual directories, and deploying an ASA computer account for CAS servers.
Configure Kerberos authentication for Exchange clients with an alternate service account, including AD computer account creation, DNS A record, Autodiscover and internal URL renaming, and SPN setup verification.
Demonstrate configuring Kerberos for non-windows systems by creating a KeyTab for a Linux service account and mapping the SPN http/MyLinuxApp.test.me with AES256.
Kerberos delegation lets a session access remote resources across multi-tier apps, with unconstrained, constrained, and resource-based constrained delegation, including impersonation and security risks of compromised service accounts.
Configure constrained delegation in Kerberos by restricting the right to specific services, using protocol transition and the forwardable flag to control access via service for user to self and proxy.
Demonstrate constrained delegation and a double-hop flow across a web server and SQL server, recording events in security logs and traces while configuring DNS, SPN, and service accounts.
demonstrate resource based constrained delegation by marking the mid-tier account as not trusted, then listing MyApp1Svc to delegate to DB1Svc; access succeeds with cached service tickets.
Run services under managed service accounts with 120 character passwords reset every 30 days and configure Kerberos delegation via msDS-AllowedToDelegateTo, userAccountControl, and PrinciplesAllowedToDelegateToAccount for resource-based delegation.
Demonstrates constrained delegation with managed service accounts by creating MyApp1MSA and DB1MSA, registering SPNs, and configuring App1 to run as MyApp1MSA and DB1 as DB1MSA for tested ticket caching.
Investigate how Kerberos delegation misconfigurations cause anonymous logon and bad option errors in Windows domains. Identify KDC options, forwardable and forwarded flags, and ticket details for mid-tier and client authentication.
Explore the incompatibility between kernel mode authentication and the negotiate Kerberos provider. Trigger warnings and error modified events when tickets are decrypted by the wrong account, affecting app access.
Enable Kerberos advanced logging across the forest to identify services missing or misconfigured SPNs, and use client and server logs with System Centre Operations Manager to flag principal unknown errors.
Explore Kerberoasting in windows domains, including SPN requirements, offline brute force of service tickets, and defenses using AES256, MSAs, privileged account controls, and PowerShell script block logging.
Explain overpass the hash and pass the ticket attacks, including how attackers obtain tickets to move laterally. Present detection and prevention techniques such as Credential Guard, NLA, and LAPS.
Identify accounts needing aes256 support, upgrade legacy systems, reset passwords twice with full AD replication, update krbtgt and keytab to aes256, then disable non aes256 eTypes after verification.
The course provides refined, standardized and verified information that cannot be found in any other single source publicly available. It does not contain engaging labs or tasks, but only demonstrations. The content is heavily condensed and it will take significantly more than 3 hours to absorb it. You will need a high level of motivation to be able to complete the course and digest the information so that it can be applied practically. At the end of each section, there is a review with multiple-choice questions and explanations. Download and use the course transcript instead of taking notes and follow the references for digging deeper in topics of interest.
The course will introduce you to Microsoft implementation of Kerberos authentication protocol and its benefits, terminology, concepts, and service infrastructure. It will then explain how Kerberos works through detail and step-by-step examination of the ticketing system and communication messages in various configurations using flow diagrams and network traffic analyzer to get better understanding of the processes. Understanding how Kerberos works will help you with troubleshooting complex problems and reduce stress.
We will walk through the configuration of the most common Microsoft applications such as IIS, SQL, Exchange, and file servers, including multi-hop setups and mid-tier service integration, discuss impersonation, review delegation options, and see why some of these options are not so secure. We will also learn how to Kerberize non-Windows services so they can benefit from Kerberos security and convenience of SSO.
Then we will dive into troubleshooting issues, go through a checklist so we don’t miss most common misconfigurations and we will look into specific troubleshooting examples. We will also examine Kerberos vulnerabilities and the most common attacks, such as Kerberoasting and Golden and Silver Tickets and talk about how to prevent and detect compromise. Finally, we will look into relevant monitoring and alerting options and learn how to use these for detecting malicious activity.