Score:0

Validating credentials in PowerShell wont use Kerberos

cn flag

In reality I'm debugging a C# app but since the same command is possible in PowerShell I'm trying there.

I am trying to validate user accounts using the following in PowerShell:

> Add-Type -AssemblyName System.DirectoryServices.AccountManagement
> $ds = New-Object System.DirectoryServices.AccountManagement.PrincipalContext("domain", "<domain>", "<OuDN>", "negotiate", "<username>", "<password>")
> $ds.ValidateCredentials("<username>", "<password>", "negotiate")

The last command always returns false, I've verified the credentials are correct by logging in with them. We've turned of NTLM authentication in the environment, and i can see each time i execute ValidateCredentials() an NTLM connection by lsass.exe is blocked (event ID 4002 in event viewer). I turned on Kerberos logging but no events are generated in the event viewer when trying to validate. This is turn leads me to believe it doesn't even attempt Kerberos authentication, but i might be wrong here.

I've verified that SPNs for the computer exists with setspn -L, and since Kerb authentication works everywhere else in the system I'm not sure it's a misconfiguration.

Update:

I found a solution but not posting it as answer yet since i still have some weird behavior. I added @<domain> to the username and this works in the C# app I'm debugging, but running the exact same command in PowerShell still returns false, although now i get a KDC_ERR_PREAUTH_FAILED in the event viewer.

cn flag
What is the result if Signing and Sealing are specified and added to the ContextOptions? (that is the default)
AmazingRealist avatar
cn flag
Running `ValidateCredentials()` with `Negotiate | Signing | Sealing` results in the same behavior, omitting them gives a `KDC_ERR_PREAUTH_REQUIRED` in the System log.
mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.