When enabling AES encryption on my DC or active directory account used for delegation, Kerberos Constrained Delegation (KCD) begins to fail with the following error.
"Kerberos: can't decrypt S4U2Self ticket for user 12345679@SITEREQUEST.COM - Decrypt integrity check failed (-1765328353)."
A screenshot of the policy I applied is here.
The error when enabling APM Debug logs is found below.
Because of this error, the question was raised if F5 even supported AES encryption. Per F5 documentation this has been supported since 12.1. However, after speaking to several customers they were sure F5 did not because of running into a similar scenario. I was able to reproduce the issue consistently when enabling the domain controller policy listed below.
Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> "Network security: Configure encryption types allowed for Kerberos" to "Enabled" with only the following selected:
Future encryption types
After reproducing the issue, I discussed this with someone who knows Kerberos a lot better than me and he provided the following explanation.
The principal (account) is created using the system-default enctype. When you change the enctype, you must also recreate the principal, or at least update the principal’s password.
Resolution was to simply reset the password of the delegation account to support the new enctype.
Thanks for sharing! It’s interesting to know this behavior!
You should have wasted several hours before finding it!
So if I understand we’ll, keys are created according to user policy when the password is reset!
I hope it will converted to an DC or askf5 article ;-)
No worries. You are sooooo right! F5 document https://support.f5.com/csp/article/K18315582 infers based on the versions provided we do support AES 256 even though it doesn't clearly state it and I haven't found any documentation around this issue in general. Then if KCD is already enabled, I didn't find any documentation regarding resetting the principal account or resetting the PW.