{
	"id": "b240380d-485c-4fd0-9cc5-b6a66c92ef5d",
	"created_at": "2026-04-06T03:36:11.350966Z",
	"updated_at": "2026-04-10T03:20:58.847017Z",
	"deleted_at": null,
	"sha1_hash": "56b82b8a3f56e22960efeb8f81394bfde41ae960",
	"title": "Kerberos Pre-Authentication: Why It Should Not Be Disabled",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 39827,
	"plain_text": "Kerberos Pre-Authentication: Why It Should Not Be Disabled\r\nBy Archiveddocs\r\nArchived: 2026-04-06 02:50:58 UTC\r\nThe Key Distribution Center (KDC) is available as part of the domain controller and performs two key functions\r\nwhich are: Authentication Service (AS) and Ticket-Granting Service (TGS)\r\nBy default the KDC requires all accounts to use pre-authentication. This is a security feature which offers\r\nprotection against password-guessing attacks. The AS request identifies the client to the KDC in plain text. If pre-authentication is enabled, a time stamp will be encrypted using the user's password hash as an encryption key. If\r\nthe KDC reads a valid time when using the user's password hash, which is available in the Active Directory, to\r\ndecrypt the time stamp, the KDC knows that request isn't a replay of a previous request.\r\nWhen you do not enforce pre-authentication, a malicious attacker can directly send a dummy request for\r\nauthentication. The KDC will return an encrypted TGT and the attacker can brute force it offline. Upon checking\r\nthe KDC logs, nothing will be seen except a single request for a TGT. When Kerberos timestamp pre-authentication is enforced, the attacker cannot directly ask the KDCs for the encrypted material to brute force\r\noffline. The attacker has to encrypt a timestamp with a password and offer it to the KDC. The attacker can repeat\r\nthis over and over. However, the KDC log will record the entry every time the pre-authentication fails.\r\nThus, Kerberos pre-authentication can prevent the active attacker. However, it does not prevent a passive attacker\r\nfrom sniffing the client's encrypted timestamp message to the KDC. If the attacker can sniff that full packet, he\r\ncan brute force it offline. To mitigate this problem, it is recommended that the users use lengthy passwords.\r\nAdditionally, a good password rotation policy should also be implemented in the domain to make the offline\r\nbrute-forcing infeasible or increasingly difficult.\r\nI am sure that like me you too have seen many organizations (if not all) where this security feature of Kerberos\r\npre-authentication is disabled for some (read many) users in order to support some applications that do not support\r\nthe security feature offered by Kerberos pre-auth.\r\nShould you continue using those applications in your domain? Let’s debate this some other time.\r\nOne of the challenges is that while one can find out if Kerberos pre-authentication security feature is disabled for\r\nuser accounts in the domain, it is almost impossible to list exactly all those user-accounts without constructing one\r\nLDAP filter and using the same in a script or tool.\r\nThis encouraged me to write this wiki post to inform you all that I have written a script that can be used to find out\r\nand enlist all user accounts in the domain for which Kerberos pre-authentication has been disabled.\r\nPlease refer to the link below from where the script can be downloaded. \r\nhttp://gallery.technet.microsoft.com/scriptcenter/List-All-User-Accounts-For-36823486\r\nhttps://social.technet.microsoft.com/wiki/contents/articles/23559.kerberos-pre-authentication-why-it-should-not-be-disabled.aspx\r\nPage 1 of 2\n\nWishing you a happy experience while you are using the script. Have a nice day. Cheers!!\r\nAdditional Reference About Kerberos Pre-Authentication\r\n** **\r\nExtensible Pre-Authentication in Kerberos\r\nhttp://www.acsac.org/2007/papers/30.pdf\r\nHow the Kerberos Version 5 Authentication Protocol Works\r\nhttp://technet.microsoft.com/en-us/library/cc772815(v=ws.10).aspx\r\nKerberos Protocol Tutorial\r\nhttp://www.kerberos.org/software/tutorial.html\r\nKerberos Explained\r\nhttp://technet.microsoft.com/en-us/library/bb742516.aspx\r\nChanges in default encryption type for Kerberos pre-authentication on Vista and Windows 7 clients cause security\r\naudit events 675 and 680 on Windows Server 2003 DC's\r\nhttp://blogs.technet.com/b/instan/archive/2009/10/12/changes-in-default-encryption-type-for-kerberos-pre-authentication-on-vista-and-windows-7-clients-cause-security-audit-events-675-and-680-on-windows-server-2003-dc-s.aspx\r\nRC4 pre-authentication failure for the Network Service account in Windows Server 2008 R2 or in Windows 7\r\nhttp://support.microsoft.com/kb/2566059\r\nSource: https://social.technet.microsoft.com/wiki/contents/articles/23559.kerberos-pre-authentication-why-it-should-not-be-disabled.aspx\r\nhttps://social.technet.microsoft.com/wiki/contents/articles/23559.kerberos-pre-authentication-why-it-should-not-be-disabled.aspx\r\nPage 2 of 2",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"references": [
		"https://social.technet.microsoft.com/wiki/contents/articles/23559.kerberos-pre-authentication-why-it-should-not-be-disabled.aspx"
	],
	"report_names": [
		"23559.kerberos-pre-authentication-why-it-should-not-be-disabled.aspx"
	],
	"threat_actors": [],
	"ts_created_at": 1775446571,
	"ts_updated_at": 1775791258,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/56b82b8a3f56e22960efeb8f81394bfde41ae960.pdf",
		"text": "https://archive.orkl.eu/56b82b8a3f56e22960efeb8f81394bfde41ae960.txt",
		"img": "https://archive.orkl.eu/56b82b8a3f56e22960efeb8f81394bfde41ae960.jpg"
	}
}