Activating the synchronization of Kerberos hashes with AD-connector

Problem

After changing a user’s password in a Microsoft Active Directory domain which is connected via AD-Connector in sync or read mode to an UCS Samba/AD domain, that user can’t log in with their new password, e.g. to Microsoft Windows clients that are joined into the UCS Samba/AD domain.

Background

Before UCS version 4.4-3 errata495 only the NTLM Hash could be synced from/to Microsoft Active Directory.
Since other types of password hashes weren’t synchronized to UCS, when someone changed their password in the Microsoft Active DIrectory domain, kerberized authentication in the UCS domain only worked with the old password since other, stronger hashes than the NTLM hash (like AES keys) are preferred by the Kerberos server.

Solution

With UCS version 4.4-3 errata495 we added the possibility to sync cryptographic hashes for the Kerberos authentication protocol from an Microsoft Active Directory domain to an UCS domain (unidirectional).

Important prerequisites

Before activating the Kerberos hash synchronization, every UCS LDAP Server needs to be upgraded to UCS version 4.4-3 errata495 or higher, otherwise LDAP simple-bind authentication against all non-updated UCS LDAP servers will fail for all accounts with Kerberos-hashes synchronized from the Microsoft Active Directory domain.

The Kerberos configuration on the Microsoft Active Directory Domain Controllers may need to be adapted, since at least the Encryption types DES_CBC_MD5, RC4_HMAC_MD5, AES128_HMAC_SHA1 and AES256_HMAC_SHA1 need to be enabled, to ensure compatibility with the UCS Domain Controller.
For information on how to set the enctypes for Kerberos on the Active Directory Domain Controller, please see the “Notes” section below.

Enabling the synchronization of Kerberos hashes

After all LDAP Servers have been updated and the Kerberos coniguration has been checked, the synchronization can be activated:

    ucr set connector/ad/mapping/user/password/kerberos/enabled=true 
    /etc/init.d/univention-ad-connector restart

Please note that the password hashes of a user are only synchronized if their password is modified. Just setting the UCR variable and restarting univention-ad-connector will not synchronize current password hashes.

Notes

Windows Server 2008 and up do not create any DES_CBC_CRC hashes by default, while Samba does.
In case specific legacy services in the domain depend on authentication with this encryptiontype, the Microsoft Active Directory Domain Controller can be configured to create these hashes on password change by activating all encryption types in the “Network security: Configure encryption types allowed for Kerberos” Group policy.
For information on how to configure this policy, see
https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/jj852180(v%3Dws.11)