Windows Server 2025 KDC PKINIT Support

[MichaelGrafnetter]

Hi, I have an issue when running Rubeus asktgt /certificate:... against Windows Server 2025 domain controllers. I always get the

[-] KRB-ERROR (79) : KDC_ERR_PA_CHECKSUM_MUST_BE_INCLUDED

error from DC. I had no issues with Windows Server 2022.

The same certificate works seamlessly with Windows Server 2025 when using PKINITtools/gettgtpkinit.py. Am I missing something or has Microsoft changed PA-PK-AS-REP validation?

[JoeDibley]

Hi Michael, hope you are well! I updated my 2025 DC and all still works here with the following and certificate generated using the default "User" template. Are you specifically attempting to use the PK_AS_REQ_OLD (PK_AS_REQ_19)?

.\Rubeus.exe asktgt /user:DA /dc:10.0.0.63 /certificate:dcb44eaac7869240d76a6def983c8594fa6c220f /enctype:aes256

[MichaelGrafnetter]

Hi @JoeDibley , thanks for your response. I was basically doing the same thing as you did, maybe I just used DC name instead of IP address, which should not make any difference.
I tried 2 different approaches:

• Certificate based on the KerberosAuthentication template acquired through impacket-ntlmrelayx.
• Shadow credential certificate with Rubeus command line generated entirely by Elad Shamir's whisker.

I tried both Rubeus freshly compiled by myself and some binaries available online, with the same result.
I also tried to explicitly disable the PKINIT Freshness extension on the target DC, but that did not help either.
As it works for you, I will probably try to re-install my AD lab from scratch and see what happens.

[JoeDibley]

Interesting. I don't see why those would behave any differently. I literally cant see a way right now for AskTGT with a cert to not have a checksum? Maybe the structure of the packet is off a bit.

I did notice that in the impacket version they add the DiffieHellman q (Factor) to the agreement encoding where a Rubeus just does P and G? Doubt it would impact or exclude the checksum but thought may be worth a quick try adding it?

https://github.com/dirkjanm/PKINITtools/blob/0f0cfa542b0348609ad494713e84744234b2d3b0/gettgtpkinit.py#L148-L151

Rubeus/Rubeus/lib/krb_structures/PA_DATA.cs

Lines 108 to 111 in afa32af

	byte[] pubKeyInfo = AsnElt.Make(AsnElt.SEQUENCE, new AsnElt[] {
	AsnElt.MakeInteger(agreement.P),
	AsnElt.MakeInteger(agreement.G),
	}).Encode();

Let me know how you get on! If I have any time i'll try 1 of your scenarios against my 2025 dc.

[JoeDibley]

Using Impacket's ntlmrealyx and petitpotam to get Kerberos Authentication certificate from my 2025 domain controller and using that I ran into a different issue but a Rubeus issue rather than Windows side.

This new issue appears to be to do with the computer authentication (the user auth to the same dc does not have this). The PA_DATA returns two items (ETYPE-INFO2 and PK-AS-REP) and ETYPE-INFO2 is decoded instead of the second one causing an unable to cast ETYPE-INFO2 to PK-AS-REP.

I made a branch on my fork with a fix for this as well as adding in that Q option for you to try.

Also, just to confirm, I commented out this line to reproduce the error message you are getting. I have no idea what must be happening on your DC! 😕

Rubeus/Rubeus/lib/krb_structures/KrbPkAuthenticator.cs

Line 34 in afa32af

AsnElt.Make(AsnElt.CONTEXT,3, new AsnElt[]{ AsnElt.MakeBlob(paChecksum) })

[*] Action: Ask TGT

[*] Got domain: domain.local
[*] Using PKINIT with etype aes256_cts_hmac_sha1 and subject:
[*] Building AS-REQ (w/ PKINIT preauth) for: 'domain.local\NWX-DC2$'
[*] Using domain controller: 10.0.0.63:88

[X] KRB-ERROR (79) : KDC_ERR_PA_CHECKSUM_MUST_BE_INCLUDED

[MichaelGrafnetter]

Hey @JoeDibley , thanks a lot for your effort, really appreciate it.

I confirm that I have previously seen the ETYPE-INFO2 vs. PK-AS-REP issue you are describing on a Windows Server 2025 (Updated November 2024) DC. That change is therefore worthy of a pull request.

I re-deployed my lab environment with 2 DCs:

• DC1 - Windows Server 2022 (ISO Updated January 2025)
• DC2 - Windows Server 2025 (ISO Updated January 2025)

Even with the AsnElt.MakeInteger(agreement.Q) change in place, I am still getting KDC_ERR_PA_CHECKSUM_MUST_BE_INCLUDED from DC2, while it works as expected against DC1. I am running the same Rubeus command from the same system, only changing the /dc: parameter.

[JoeDibley]

Yeah, makes sense to do a PR for that. I'll save it until we can figure out the problems. GetTGTPKInit.py works and is fully decoded in Wireshark where as Rubeus is currently not so I think focusing on getting to a point that wireshark can inspect the AS-REQ without an error in the SignedAuthPack is likely the next step albeit not a simple one.

[JoeDibley]

If you get time, give my fork another go. I made a change that now detects the SignedAuthPack and also just a console write line to confirm that the pachecksum bit is being hit on your side.

Still not quite sure how you are getting the KDC_ERR_PA_CHECKSUM_MUST_BE_INCLUDED so hopefully this may help ensure we are encoding it in the absense of being able to confirm with wireshark.

[MichaelGrafnetter]

Thanks @JoeDibley , but still no luck on WS 2025:

   ______        _
  (_____ \      | |
   _____) )_   _| |__  _____ _   _  ___
  |  __  /| | | |  _ \| ___ | | | |/___)
  | |  \ \| |_| | |_) ) ____| |_| |___ |
  |_|   |_|____/|____/|_____)____/(___/

  v2.3.3

[*] Action: Ask TGT

[*] Using salt: CONTOSO.COMadministrator
[*] Using PKINIT with etype aes256_cts_hmac_sha1 and subject: CN=administrator
[*] Building AS-REQ (w/ PKINIT preauth) for: 'contoso.com\administrator'
[*] Using domain controller: 10.213.0.9:88
PAChecksum is hit!

[X] KRB-ERROR (79) : KDC_ERR_PA_CHECKSUM_MUST_BE_INCLUDED

vs. WS 2022:

  (_____ \      | |
   _____) )_   _| |__  _____ _   _  ___
  |  __  /| | | |  _ \| ___ | | | |/___)
  | |  \ \| |_| | |_) ) ____| |_| |___ |
  |_|   |_|____/|____/|_____)____/(___/

  v2.3.3

[*] Action: Ask TGT

[*] Using salt: CONTOSO.COMadministrator
[*] Using PKINIT with etype aes256_cts_hmac_sha1 and subject: CN=administrator
[*] Building AS-REQ (w/ PKINIT preauth) for: 'contoso.com\administrator'
[*] Using domain controller: fe80::1276:6f70:a913:dbf6%5:88
PAChecksum is hit!
[+] TGT request successful!
[*] base64(ticket.kirbi):

      doIGvjCCBrqgAwIBBaEDAgEWooIFwTCCBb1hggW5MIIFtaADAgEFoQ0bC0NPTlRPU08uQ09NoiAwHqAD
      AgECoRcwFRsGa3JidGd0Gwtjb250b3NvLmNvbaOCBXswggV3oAMCARKhAwIBAqKCBWkEggVlDLRmljMI
      3brNV5UBCieaaXi6xCGuuPacbuwYJsdN+44M55aagV/OS8iQBgBwo3m6ZAkVABAhsFfPak1Il/PqKZ+Q
      qDVfiQ0mprut8wfDYSkpk0jhk4T+0J1GW9olouRbcTXi4oklMpQLCnWQ/mcJ1UaxEiYlIjRsnks4TI2c
      4JWn07hnUzfbO7xQmVzGdanvDdlU00ddCnYtRVafF1yB+ChkMhxe/cVfXKyeaJ3Gac3JLJDvJljduT4J
      Jl5Rae7D41aRLMsmTvSqiOfGLLpXWScXf05M6PVlVONh1Z806Z+MKK1JmNHbb1kZlvdsbURVmDm4M7iC
      Ryi5gwv6L1RTn86f3tXgxCKoyI9musrsjrFCytVSs7W+3j4WJTyOL2BidljrjRCRr8P1pDZJpL33Nbh6
      wTkoLyBAu1vpQH2B3o5NPEqkslPaqyZs4U1J0hhxDZ7ZUzHXCrNVU1ORsPSkE3rhEGw95n/KuQ8pH3Xd
      P3q2/o2RUDzFdBYLt9iCxEssS2B93lZLgOdKTiZ6gZlLU8uszFHw2/Zs42jGqX5ybEy08u8DE52lU84j
      cMAIPB4WJHrnb7Llxy+SxzRPM9DhKbQamOPpDQzuqvRT+BQR/6M5K6RoUDJVWh741iWCl7NmTksCdUkP
      V4Jr9oY8YoY0+C0xlTBipumjTdAqUT1t0OdCCbGCMGf/6SV/A2auO4Zz0jnCU3xRbZ/Y946d8hI/mA5E
      jHRSMb5DhBvPv4aQ2A2XpksGyI+M3x81gSLl21U3xEEdOSH0Zp+eB7uwnHARSpB4STa4JKJgQW2RsouT
      Tgwq/aDAR2jUhdQOa8y4sMrDcRvN+KxWbIpGpLukiKLJ8yBckquDruepMEnEdpPWvzd/v3CAlPbFxzgV
      7AEJwa5pGM1PIIvpjsJXaQfjsmEgnfA6GEQx5ST0HccEivEXilNqs1NwnVLm1kXuqP17u37uwG9CmCAi
      YricuvyxdkAfB5oASL6CWjJPzlgDY8LsHRk2KI1EerSCYxVGL6VPhU5ND4ABLTxVJf+txFVJStvppHrI
      8JiPQamDpmSXBHKahcWBR7M4gdpgMfOcoYJxlXvD34QUbEXkMer8Gh48qdqC43rC88ZSXQTucr1kaz2c
      YBjKGAlDdQBqjghpiUMa8E0ocmuMFMgtnfK/z+quh7rBfEQ9u5D2m9bpcfR0R/rl5H23sqPyeM5XSwOI
      esz6ClgnHL49Fiqlx5oUWbyIsyCs2hDtxdtvEhwmaBpJLYghE8Rnw72Cp+V0DwjC96e1QTsXNo7neHrr
      8hQgbjZlI2issYRIUdVCddbft0Z2esxY3h0NqgOhi+qO4kcbN7L7WYWw0InjwiB/coSgCeY2dsDyI0C6
      UbIGNO2T5++vafD9472m7HA6XWLwJLBcNMszcc1xjuJtOPTz9OrdVi+U9op2BotNQe+DwCsdtqpgc3WF
      wx+L1/O4+7wnmS1byMqRxdLFiAsYwLEmNM3c+jm8/rT+9wnnrXXLtmItmeQeUsaplGx3sfdmKRE3fG/L
      yx15GDpLJQiI6rkovuFrMlYXaRPTDsdS0vbVmoyNDbikCdHDNOMdWRcp6NRENd3W+8b2Jk1bdhcHAOm1
      riGQshlcble1+MiJR8f/XiDMdvoxkc0HiqEY0zxHF14dK0FRnqIDweSp1NCrWrOcZ9TxeHr3+yVolbIE
      VNUQpQyLIXSXpSedw61Pn4QpYUK6Hv5GpDazBStTqpfVNGqvgsF1L7VzsN4aq9Xm2TSt62WpYTVUZi6N
      adWSviQSNuw9anGtHGgvSPXyYItMVB4V/4AyHPNQHMFMTYjE6ipiRj0SbldMljPxD3DV5se8YaOB6DCB
      5aADAgEAooHdBIHafYHXMIHUoIHRMIHOMIHLoCswKaADAgESoSIEIN5u7wkpvNMsacTCq/qLS1D3Sj2Z
      ZhSY060Vg+YB6r76oQ0bC0NPTlRPU08uQ09NohowGKADAgEBoREwDxsNYWRtaW5pc3RyYXRvcqMHAwUA
      QOEAAKURGA8yMDI1MDIwNTE5NTg0MlqmERgPMjAyNTAyMDYwNTU4NDJapxEYDzIwMjUwMjEyMTk1ODQy
      WqgNGwtDT05UT1NPLkNPTakgMB6gAwIBAqEXMBUbBmtyYnRndBsLY29udG9zby5jb20=

  ServiceName              :  krbtgt/contoso.com
  ServiceRealm             :  CONTOSO.COM
  UserName                 :  administrator (NT_PRINCIPAL)
  UserRealm                :  CONTOSO.COM
  StartTime                :  2/5/2025 8:58:42 PM
  EndTime                  :  2/6/2025 6:58:42 AM
  RenewTill                :  2/12/2025 8:58:42 PM
  Flags                    :  name_canonicalize, pre_authent, initial, renewable, forwardable
  KeyType                  :  aes256_cts_hmac_sha1
  Base64(key)              :  3m7vCSm80yxpxMKr+otLUPdKPZlmFJjTrRWD5gHqvvo=
  ASREP (key)              :  79327790A7A08B414DE82F02A1CB30DE9CE589FFA866E5EBF505923B56A2E48A

For reference, this is the command line:

Rubeus.exe asktgt /user:administrator /certificate:MIIJwAIBAzCCCXwGCSqGSIb3DQEHAaCCCW0EgglpMIIJZTCCBhYGCSqGSIb3DQEHAaCCBgcEggYDMIIF/zCCBfsGCyqGSIb3DQEMCgECoIIE/jCCBPowHAYKKoZIhvcNAQwBAzAOBAhxGIuaP4IzvAICB9AEggTYSZsaFGf/C9EdRsEh6NZq/FJP0PTfzoXJp7FEZ7le62MwRUPYHh/zYDrqpf953hmpqYzOoZoFO4R8BUnySdeva3hDKRSDKa0UJeu7xNAquSo/XgVywkvvTnBZwkbUvb4IaAnWBxz631qfTgtsCeCA/OSth5cEDcmz4L7gbiS97HgjiiY7Gvz91/aehPyowrzwzAu+J1p2mLL2kgdWHepQ/AQNzJl4na2/HjVWBDwTbyfUJrZs5jguSdz2G4X31yvp9BYmFQHES/JTvY1oFfefbpTEm7sVMdoTchrijR6dbvPcqw2kOFeNH4aRkFbqLGEXTAzWH3dW2eikawlsJTFac04mEDWrhPy+GHViup9vhCddbi5wCJqGmr0+rZI6YxgHRA44MpNHUwqM/e6H/3rknibyYWAKZxs+NmJmzvkr5PT/2pC6D/gcv4c6oe/OiYP/32xuY8UD/VHZWLIVu7LTbRxEshc8xhEq7T0ZwWGQYEAc1BZS79+C6/zHSk/JwSijGNZzn3ktdQfmAsavJe6HlS5Ei+LKHiVoO36VAI3Ze/Rt+2oq8QNjGrDQ9GqlNx3VjtTSOobr2QkX5rwgNbs07NQyRCNekPOeMlAlaDNclNHM68iKOUL8wQSlrzlJuA6v4aQIjI8KS4iJOXZc71AbOlQLmJ+m4+fkWzyj7TAnUKXbZdUNsfNLcnTf9D9jLkkIIh2WjPVA31v/oJGH6QmPpECGanM+suJ3FJ0x7ugZlx1933ZSv+MX8nHLPoewrclcrKqPojnykrWbIC80SZA33UcduC/ny34aN4AovH1Uh6IEbCGb95ppeuAGicWWI51K3QgLaZNzR9B8xxP+NCXqMQ2h1DOEv7NgZs5wTS7vs7xOnH2rKX+r8xY5Tr2wY0bYIc3IEIvBaVL91ohV2aXQrsLzLJutzun4SfvZRLO/FlwDW9NPyJYm1kTyGaOWtAjGbr/SH0IrmGdZ5GqkVDsgVpWHk1MrYOpY9R382P7izYilld+IJh4HuKc5Pgl3g0DxNTAb8WKnXYnZJzsaXk8y9vPWUa5dYIpABRqyhQg6Qdric0Wp7B376n1s0X/boifkpiQY80EMxdALIkxfDElNb8z3++OFSlc4X7ZqF030S5jVuc0MUhgFpFson289x9nIQoYbObbAAtvMBHdIXH7FbQM9q1noUEO4gNXGXR2CuMsRVvzxJ3S0ttX78JgyqzPrDsb5UXs7gIE/9CH4sZUyqUduA40rnblW2Ppp7+00dFketNVnePB6P5XhFnPqe2Q1qZgv+84abs1vbpR0WPUiKryy7bvBjBB4iNWkSBKrTtbGAY8pVJJHkEf1P+oiSxKA7vISosq5pqWN7hJa8gV4NIj1IEtmNQb5JjIHhrI2+IyPsyLw9jeIW8HRRhrQiXhyUiphpG8YnFrR73TlkTlZEER0wT0Ki3k1WBE0061Saz4IU+7A2u1j3Tf+fGbvgeT47cZlyqA8Gz1SAbYfnwAQTHj+BscYNeg/DooD+4EFeuB4ZX64LHfq6/l2RNOw5hHh8W8lis8UluibfUEBk2X97YGI8QJKOCwdje/lWMWJ/VnNC25ABiZMCKJmmg8+nyfeylFfskKU6Nm/AIDNU8bwIFibg9I1I2qhMYaWsWUEoJg9vUGSxP2/0TGB6TATBgkqhkiG9w0BCRUxBgQEAQAAADBXBgkqhkiG9w0BCRQxSh5IAGMAMwBjAGQAOAA3ADIANwAtADEAYwBhADMALQA0ADIAZAAxAC0AYQA3ADAAMAAtADgANQAyADcAYgA4ADkAYgAzADQAYgAxMHkGCSsGAQQBgjcRATFsHmoATQBpAGMAcgBvAHMAbwBmAHQAIABFAG4AaABhAG4AYwBlAGQAIABSAFMAQQAgAGEAbgBkACAAQQBFAFMAIABDAHIAeQBwAHQAbwBnAHIAYQBwAGgAaQBjACAAUAByAG8AdgBpAGQAZQByMIIDRwYJKoZIhvcNAQcGoIIDODCCAzQCAQAwggMtBgkqhkiG9w0BBwEwHAYKKoZIhvcNAQwBAzAOBAivuBbfRct1jwICB9CAggMAFGneVxovw1MzShhQwTZ2RKoYgx8A6/Gz86TJ5xLTlyiKoRUchStWCY4pBx7gERw1QEpu0yF24wGaGiP0TE1x1XtYQMNoqEqqgNod+yvDD7HJ/eG0e+k4yYsd6IgGlbWwPLJ4V/cBeV29c4de5Evt6qvMNE/dZt86qWJ/4DFINpjmgy2SQI9HQYfRCpfI65e/aSFiUsRdLFfXPX38sVe0EWNhd4n2ONx+mWMBWzCw/ck308ofHp8QCY+YeSAEsSx49w4KHdA/8dYsK4Ir8lz/js0eOH93jNbTO/gcrzn45YS4n7W3BCY9Jbdj97CFy1cF0dLT2zTRkJlkSLD7TqNrry8CEGrFCOYSwj4m3eD57G3pMLLknzIKnrxB08fTNx9QureXTGCt5ywJK0MrrlbFp+Y69b22eGaxYftz6l62ic5baFPN+0N9dgBHGaZT2GhXNtWjA+AeTvnmXLPPX2LERz/QHrguxaqLyQF9T8iS+oTEck57LhTUya7I6Yw/JY+vqYs4cV/R4E5geLQ1Rr/PS2s8y+KHnqZI6vX5Dkz1FEN8w1czQ00OgjMvV0WAksrsJQO4zG6Gt0sj3MsI11i7TBvVC7RzPE04qJpVuDrekD78kUU0h8onREGbW8EuunTRWnBbsd2Y6AECGikiKibzlL4LshFIiwnsTTWQVOXbXA1XgXoBmwVNr6Se7SwV5ArTzBnMa0Q6kBo4M+NcL4Np40MSXLwOx4OZKCAkAvl1VH39gvoWyqmmqH5GnZG2oU3l4ICBdlN2DsZPz0nnNueYcpZlM+f4UCyiivWkXZaJn8hyuq4qE4NBxHULSq53Oc1f1kWObh+4669t/wXZQSOSJSz+UchPUlP4XHb7KTgSN1iUvAxmeAP4MLyHW5rJNDmXhA9zHdIaMs+Ljmmj/3gnEntfFSt6cTlxPRbEzMLaeOQjs1XaydJOPwf9MvZ9F+4I6nKi7Z4KThg/e5qMT87qD3/OxBzq50UrlmM2rhQKtRZGlPqthqVb9WKEQtp5KHFMMDswHzAHBgUrDgMCGgQUHdOW8weOtV8Yaor5S6ngUGlCLycEFHUrvO4y/35cNwjiRXhHpGRmQ3r1AgIH0A== /password:"XQZtycNixvbPHTsO" /domain:contoso.com /dc:CONTOSO-DC2.contoso.com /show /enctype:aes256

[darkoperator]

I know Win2025 changes some stuff for PKINIT, if one upgraded an existing DC, one still had to raise the forest level to 2025 to have some of the features like page size from 8k to 32k to work. when you upgraded the DC, did you raise the domain and forest level? could be a variable in testing.

[MichaelGrafnetter]

Thanks @darkoperator for the idea. I was able to replicate the issue even with Windows Server 2016 Domain Functional Level on a Windows Server 2025 DC, installed from en-us_windows_server_2025_updated_jan_2025_x64_dvd_7a8e5a29.iso. I also get the same behavior when using a KDC proxy server.

On the other hand, @dirkjanm's scripts work seamlessly with the same cert (kudos!!!):

~/env-pytools/bin/python3 ~/PKINITtools/gettgtpkinit.py 'CONTOSO/Administrator' administrator.ccache -dc-ip 10.213.0.9  -pfx-pass 'XQZtycNixvbPHTsO' -pfx-base64 'MIIJwAIBAzCCCXwGCSqGSIb3DQEHAaCCCW0EgglpMIIJZTCCBhYGCSqGSIb3DQEHAaCCBgcEggYDMIIF/zCCBfsGCyqGSIb3DQEMCgECoIIE/jCCBPowHAYKKoZIhvcNAQwBAzAOBAhxGIuaP4IzvAICB9AEggTYSZsaFGf/C9EdRsEh6NZq/FJP0PTfzoXJp7FEZ7le62MwRUPYHh/zYDrqpf953hmpqYzOoZoFO4R8BUnySdeva3hDKRSDKa0UJeu7xNAquSo/XgVywkvvTnBZwkbUvb4IaAnWBxz631qfTgtsCeCA/OSth5cEDcmz4L7gbiS97HgjiiY7Gvz91/aehPyowrzwzAu+J1p2mLL2kgdWHepQ/AQNzJl4na2/HjVWBDwTbyfUJrZs5jguSdz2G4X31yvp9BYmFQHES/JTvY1oFfefbpTEm7sVMdoTchrijR6dbvPcqw2kOFeNH4aRkFbqLGEXTAzWH3dW2eikawlsJTFac04mEDWrhPy+GHViup9vhCddbi5wCJqGmr0+rZI6YxgHRA44MpNHUwqM/e6H/3rknibyYWAKZxs+NmJmzvkr5PT/2pC6D/gcv4c6oe/OiYP/32xuY8UD/VHZWLIVu7LTbRxEshc8xhEq7T0ZwWGQYEAc1BZS79+C6/zHSk/JwSijGNZzn3ktdQfmAsavJe6HlS5Ei+LKHiVoO36VAI3Ze/Rt+2oq8QNjGrDQ9GqlNx3VjtTSOobr2QkX5rwgNbs07NQyRCNekPOeMlAlaDNclNHM68iKOUL8wQSlrzlJuA6v4aQIjI8KS4iJOXZc71AbOlQLmJ+m4+fkWzyj7TAnUKXbZdUNsfNLcnTf9D9jLkkIIh2WjPVA31v/oJGH6QmPpECGanM+suJ3FJ0x7ugZlx1933ZSv+MX8nHLPoewrclcrKqPojnykrWbIC80SZA33UcduC/ny34aN4AovH1Uh6IEbCGb95ppeuAGicWWI51K3QgLaZNzR9B8xxP+NCXqMQ2h1DOEv7NgZs5wTS7vs7xOnH2rKX+r8xY5Tr2wY0bYIc3IEIvBaVL91ohV2aXQrsLzLJutzun4SfvZRLO/FlwDW9NPyJYm1kTyGaOWtAjGbr/SH0IrmGdZ5GqkVDsgVpWHk1MrYOpY9R382P7izYilld+IJh4HuKc5Pgl3g0DxNTAb8WKnXYnZJzsaXk8y9vPWUa5dYIpABRqyhQg6Qdric0Wp7B376n1s0X/boifkpiQY80EMxdALIkxfDElNb8z3++OFSlc4X7ZqF030S5jVuc0MUhgFpFson289x9nIQoYbObbAAtvMBHdIXH7FbQM9q1noUEO4gNXGXR2CuMsRVvzxJ3S0ttX78JgyqzPrDsb5UXs7gIE/9CH4sZUyqUduA40rnblW2Ppp7+00dFketNVnePB6P5XhFnPqe2Q1qZgv+84abs1vbpR0WPUiKryy7bvBjBB4iNWkSBKrTtbGAY8pVJJHkEf1P+oiSxKA7vISosq5pqWN7hJa8gV4NIj1IEtmNQb5JjIHhrI2+IyPsyLw9jeIW8HRRhrQiXhyUiphpG8YnFrR73TlkTlZEER0wT0Ki3k1WBE0061Saz4IU+7A2u1j3Tf+fGbvgeT47cZlyqA8Gz1SAbYfnwAQTHj+BscYNeg/DooD+4EFeuB4ZX64LHfq6/l2RNOw5hHh8W8lis8UluibfUEBk2X97YGI8QJKOCwdje/lWMWJ/VnNC25ABiZMCKJmmg8+nyfeylFfskKU6Nm/AIDNU8bwIFibg9I1I2qhMYaWsWUEoJg9vUGSxP2/0TGB6TATBgkqhkiG9w0BCRUxBgQEAQAAADBXBgkqhkiG9w0BCRQxSh5IAGMAMwBjAGQAOAA3ADIANwAtADEAYwBhADMALQA0ADIAZAAxAC0AYQA3ADAAMAAtADgANQAyADcAYgA4ADkAYgAzADQAYgAxMHkGCSsGAQQBgjcRATFsHmoATQBpAGMAcgBvAHMAbwBmAHQAIABFAG4AaABhAG4AYwBlAGQAIABSAFMAQQAgAGEAbgBkACAAQQBFAFMAIABDAHIAeQBwAHQAbwBnAHIAYQBwAGgAaQBjACAAUAByAG8AdgBpAGQAZQByMIIDRwYJKoZIhvcNAQcGoIIDODCCAzQCAQAwggMtBgkqhkiG9w0BBwEwHAYKKoZIhvcNAQwBAzAOBAivuBbfRct1jwICB9CAggMAFGneVxovw1MzShhQwTZ2RKoYgx8A6/Gz86TJ5xLTlyiKoRUchStWCY4pBx7gERw1QEpu0yF24wGaGiP0TE1x1XtYQMNoqEqqgNod+yvDD7HJ/eG0e+k4yYsd6IgGlbWwPLJ4V/cBeV29c4de5Evt6qvMNE/dZt86qWJ/4DFINpjmgy2SQI9HQYfRCpfI65e/aSFiUsRdLFfXPX38sVe0EWNhd4n2ONx+mWMBWzCw/ck308ofHp8QCY+YeSAEsSx49w4KHdA/8dYsK4Ir8lz/js0eOH93jNbTO/gcrzn45YS4n7W3BCY9Jbdj97CFy1cF0dLT2zTRkJlkSLD7TqNrry8CEGrFCOYSwj4m3eD57G3pMLLknzIKnrxB08fTNx9QureXTGCt5ywJK0MrrlbFp+Y69b22eGaxYftz6l62ic5baFPN+0N9dgBHGaZT2GhXNtWjA+AeTvnmXLPPX2LERz/QHrguxaqLyQF9T8iS+oTEck57LhTUya7I6Yw/JY+vqYs4cV/R4E5geLQ1Rr/PS2s8y+KHnqZI6vX5Dkz1FEN8w1czQ00OgjMvV0WAksrsJQO4zG6Gt0sj3MsI11i7TBvVC7RzPE04qJpVuDrekD78kUU0h8onREGbW8EuunTRWnBbsd2Y6AECGikiKibzlL4LshFIiwnsTTWQVOXbXA1XgXoBmwVNr6Se7SwV5ArTzBnMa0Q6kBo4M+NcL4Np40MSXLwOx4OZKCAkAvl1VH39gvoWyqmmqH5GnZG2oU3l4ICBdlN2DsZPz0nnNueYcpZlM+f4UCyiivWkXZaJn8hyuq4qE4NBxHULSq53Oc1f1kWObh+4669t/wXZQSOSJSz+UchPUlP4XHb7KTgSN1iUvAxmeAP4MLyHW5rJNDmXhA9zHdIaMs+Ljmmj/3gnEntfFSt6cTlxPRbEzMLaeOQjs1XaydJOPwf9MvZ9F+4I6nKi7Z4KThg/e5qMT87qD3/OxBzq50UrlmM2rhQKtRZGlPqthqVb9WKEQtp5KHFMMDswHzAHBgUrDgMCGgQUHdOW8weOtV8Yaor5S6ngUGlCLycEFHUrvO4y/35cNwjiRXhHpGRmQ3r1AgIH0A=='

2025-02-06 12:26:32,788 minikerberos INFO     Loading certificate and key from file
INFO:minikerberos:Loading certificate and key from file
2025-02-06 12:26:32,968 minikerberos INFO     Requesting TGT
INFO:minikerberos:Requesting TGT
2025-02-06 12:26:33,088 minikerberos INFO     AS-REP encryption key (you might need this later):
INFO:minikerberos:AS-REP encryption key (you might need this later):
2025-02-06 12:26:33,095 minikerberos INFO     9f14ab82bc7a21848afb4c921f470a1eb55287428e687cc30f94e9e81df9f9a0
INFO:minikerberos:9f14ab82bc7a21848afb4c921f470a1eb55287428e687cc30f94e9e81df9f9a0
2025-02-06 12:26:33,155 minikerberos INFO     Saved TGT to file
INFO:minikerberos:Saved TGT to file

[JoeDibley]

No problem on the help Michael. Theres something really odd/interesting going on here. I am going to see if I can find someone who has access to the proper iso (I mainly just use eval for labs) and try again but need to wait until i have another spare evening.

I ended up checking out the ASN1 closely and it seems that the dotnet CMSSigner is likely to blame somewhere as this is what Wireshark struggles to decode, specifically the Certificate in the ContentInfo in the encapsContentInfo) as Rubeus uses that for the encoding. I think we would need to implement the ASN1 manually to get this decoded in Wireshark (or open an issue with Wireshark as it seems wireshark can't decode the standard windows pkinit properly in general...). Also to note, the ASN1 between both the GetTgtPKNIINT.py and Rubeus was pretty much completely different when checked.

Its good to know you are definitely hitting the PAChecksum. Thanks for checking that.

Next step is checking that specific ISO i think as I am using eval with updates. Do you have any specific config in GPOs? (I tried sooo many KDC and Kerberos setting combos but haven't managed to reproduce).

[MichaelGrafnetter]

I have also tested it in an environment without any custom GPOs. I always use AutomateLab instead of installing Windows from ISO manually, but I don't think they would be injecting anything that would affect PKINIT on WS2025 specifically.

Maybe kdecode could help with parsing the tickets.

I am actually thinking about dropping my own Kerberos-related code from DSInternals and replacing it with Kerberos.NET. Steve has done a great job with implementing ASN.1 parsing in C# the right way.

[JoeDibley]

Cool. Note tried kdecode before. I tested that 2025 iso as a domain controller and I can confirm it is working for me. Maybe its something specific with the automated lab setup or the client machine. Some further questions:

• What OS are you doing the request from?
• Have you tried a standard authentication-based cert without an attack chain? I noticed your cert was an All-purpose cert for administrator from the example.

[MichaelGrafnetter]

@JoeDibley @darkoperator I just figured out what the problem was. It is so embarrassing and surprising at the same time.

It turns out that if Rubeus is compiled against .NET Framework 4.7.2 or 4.8, PKINIT does not work with Windows Server 2025 KDCs, but still works with Windows Server 2022 KDCs. But my issues vanished once I re-targeted the project to .NET Framework 4.6.2. Go figure!

@JoeDibley Please definitely make a PR with the computer authentication update.

[JoeDibley]

That is good to know though! An interesting side effect for sure. I nearly built with 4.8 so would have run into it eventually 😄

Will get that PR done now.