question

AA88 avatar image
0 Votes"
AA88 asked AA88 commented

kerberos authentication error

Hi,

I can login to any server with authentication successfully. But when come to launch or run cmd or powershell with admin privileges' access. Will throw out error with access denied. Even i'm enterprise admin or domain admin doesn't seem to have access. Only need to try authentication as different user using same account it's successfully.

Below is the screenshot without authenticate, but i ready have enterprise admin seem not able to manage the remote server. 136469-1.jpg


Anyone encounter for kerberos authentication error?


windows-serverwindows-active-directory
1.jpg (29.8 KiB)
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Thameur-BOURBITA avatar image
0 Votes"
Thameur-BOURBITA answered

Hi

Hi

It seems that the Admin account you are using is members of protected user.
You can remove it from protected users to be able to use ntlm protocol for authentication.
Regarding the kerberos error, check if the SPN configuration is correct on the impacted server, if you want keep Admin account with privileged in protected users.


Please don't forget to mark helpful reply as answer

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

AA88 avatar image
0 Votes"
AA88 answered

@Thameur-BOURBITA

I've checked security group doesn't not have protected user.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Thameur-BOURBITA avatar image
0 Votes"
Thameur-BOURBITA answered AA88 commented

Did you check SPN configuration ?

Please don't forget to mark helpful reply as answer

· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

@Thameur-BOURBITA

Is there a standard SPN configuration?

Since the account is more of administration rather than service accounts.

0 Votes 0 ·
LimitlessTechnology-2700 avatar image
0 Votes"
LimitlessTechnology-2700 answered

Hello @AA88

I agree that besides checking if Enterprise Admin or Domain Admin is member of the local Administrators group, you may be using an account added in "Protected Users" group.

Since local Admin security is a concern nowadays I would recommend you to implement LAPS as a solution for centralized Local Administrator management of your environment without exposing your domain Admins groups.

LAPS:
https://www.microsoft.com/en-us/download/details.aspx?id=46899
LAPS Guide:
https://techcommunity.microsoft.com/t5/core-infrastructure-and-security/local-administrator-password-solution-laps-implementation-hints/ba-p/258296

Hope this helps with your query,


--If the reply is helpful, please Upvote and Accept as answer--

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

AA88 avatar image
0 Votes"
AA88 answered

Hello @LimitlessTechnology-2700

The issues is I'm getting kerbose authentication error, to any domain servers.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.