Tag Archives: Kerberos

Password reset smart card only accounts – Why should I care?

One interesting thing when using smart card authentication is that you can still use username and passwords even if the smart card is required. There have been many examples and articles about that you can still use Pass the Hash since the NT Hash is still in use.

This is just another twist on it focusing on the clear text password.

The support for using smart card has existed a long time in Windows, it was implemented in MS KILE as a Kerberos extension in Windows 2000 and is called PKINIT. The purpose was to get rid of using passwords and offer a strong authentication with 2 factors (not to mitigate Pass the Hash and Pass the Ticket etc). Continue reading

IP address hostnames in SPN extending Kerberos usage

This is just a small note of a feature that was new in Windows 10 v1507 and Windows Server 2016.

In the early days (Windows 2000, XP and 2003) it was possible to configure Service Principals Names (SPNs) with IP addresses. And then in Windows Vista and Windows Server 2008 it was removed in the Kerberos client and IP addresses on services didn’t work.
Since then if a client tries to connect to e.g. a share by its IP address it would fall back to NTLM.

I don’t know why that changed, but the good news is that they have reintroduced that functionality and you can configure the Kerberos clients to request a service ticket based on a IP hostname SPN.  Continue reading