Windows Server 2025 KDC PKINIT Support

[MichaelGrafnetter]

Hi, I have an issue when running Rubeus asktgt /certificate:... against Windows Server 2025 domain controllers. I always get the

[-] KRB-ERROR (79) : KDC_ERR_PA_CHECKSUM_MUST_BE_INCLUDED

error from DC. I had no issues with Windows Server 2022.

The same certificate works seamlessly with Windows Server 2025 when using PKINITtools/gettgtpkinit.py. Am I missing something or has Microsoft changed PA-PK-AS-REP validation?

[JoeDibley]

Hi Michael, hope you are well! I updated my 2025 DC and all still works here with the following and certificate generated using the default "User" template. Are you specifically attempting to use the PK_AS_REQ_OLD (PK_AS_REQ_19)?

.\Rubeus.exe asktgt /user:DA /dc:10.0.0.63 /certificate:dcb44eaac7869240d76a6def983c8594fa6c220f /enctype:aes256

[MichaelGrafnetter]

Hi @JoeDibley , thanks for your response. I was basically doing the same thing as you did, maybe I just used DC name instead of IP address, which should not make any difference.
I tried 2 different approaches:

• Certificate based on the KerberosAuthentication template acquired through impacket-ntlmrelayx.
• Shadow credential certificate with Rubeus command line generated entirely by Elad Shamir's whisker.

I tried both Rubeus freshly compiled by myself and some binaries available online, with the same result.
I also tried to explicitly disable the PKINIT Freshness extension on the target DC, but that did not help either.
As it works for you, I will probably try to re-install my AD lab from scratch and see what happens.

[JoeDibley]

Interesting. I don't see why those would behave any differently. I literally cant see a way right now for AskTGT with a cert to not have a checksum? Maybe the structure of the packet is off a bit.

I did notice that in the impacket version they add the DiffieHellman q (Factor) to the agreement encoding where a Rubeus just does P and G? Doubt it would impact or exclude the checksum but thought may be worth a quick try adding it?

https://github.com/dirkjanm/PKINITtools/blob/0f0cfa542b0348609ad494713e84744234b2d3b0/gettgtpkinit.py#L148-L151

Rubeus/Rubeus/lib/krb_structures/PA_DATA.cs

Lines 108 to 111 in afa32af

	byte[] pubKeyInfo = AsnElt.Make(AsnElt.SEQUENCE, new AsnElt[] {
	AsnElt.MakeInteger(agreement.P),
	AsnElt.MakeInteger(agreement.G),
	}).Encode();

Let me know how you get on! If I have any time i'll try 1 of your scenarios against my 2025 dc.

[JoeDibley]

Using Impacket's ntlmrealyx and petitpotam to get Kerberos Authentication certificate from my 2025 domain controller and using that I ran into a different issue but a Rubeus issue rather than Windows side.

This new issue appears to be to do with the computer authentication (the user auth to the same dc does not have this). The PA_DATA returns two items (ETYPE-INFO2 and PK-AS-REP) and ETYPE-INFO2 is decoded instead of the second one causing an unable to cast ETYPE-INFO2 to PK-AS-REP.

I made a branch on my fork with a fix for this as well as adding in that Q option for you to try.

Also, just to confirm, I commented out this line to reproduce the error message you are getting. I have no idea what must be happening on your DC! 😕

Rubeus/Rubeus/lib/krb_structures/KrbPkAuthenticator.cs

Line 34 in afa32af

AsnElt.Make(AsnElt.CONTEXT,3, new AsnElt[]{ AsnElt.MakeBlob(paChecksum) })

[*] Action: Ask TGT

[*] Got domain: domain.local
[*] Using PKINIT with etype aes256_cts_hmac_sha1 and subject:
[*] Building AS-REQ (w/ PKINIT preauth) for: 'domain.local\NWX-DC2$'
[*] Using domain controller: 10.0.0.63:88

[X] KRB-ERROR (79) : KDC_ERR_PA_CHECKSUM_MUST_BE_INCLUDED

[MichaelGrafnetter]

Hey @JoeDibley , thanks a lot for your effort, really appreciate it.

I confirm that I have previously seen the ETYPE-INFO2 vs. PK-AS-REP issue you are describing on a Windows Server 2025 (Updated November 2024) DC. That change is therefore worthy of a pull request.

I re-deployed my lab environment with 2 DCs:

• DC1 - Windows Server 2022 (ISO Updated January 2025)
• DC2 - Windows Server 2025 (ISO Updated January 2025)

Even with the AsnElt.MakeInteger(agreement.Q) change in place, I am still getting KDC_ERR_PA_CHECKSUM_MUST_BE_INCLUDED from DC2, while it works as expected against DC1. I am running the same Rubeus command from the same system, only changing the /dc: parameter.

[JoeDibley]

Yeah, makes sense to do a PR for that. I'll save it until we can figure out the problems. GetTGTPKInit.py works and is fully decoded in Wireshark where as Rubeus is currently not so I think focusing on getting to a point that wireshark can inspect the AS-REQ without an error in the SignedAuthPack is likely the next step albeit not a simple one.

[JoeDibley]

If you get time, give my fork another go. I made a change that now detects the SignedAuthPack and also just a console write line to confirm that the pachecksum bit is being hit on your side.

Still not quite sure how you are getting the KDC_ERR_PA_CHECKSUM_MUST_BE_INCLUDED so hopefully this may help ensure we are encoding it in the absense of being able to confirm with wireshark.