"Auth" command after NTLM relay to an HTTP endpoint returns error when getting TGT: KRB_AP_ERR_MODIFIED

[Alh4zr3d]

When performing a basic NTLM relay attack (with PetitPotam to coerce auth) using the "relay" command, everything goes fine as you see below:

The PFX is saved and no error is thrown. However, when you follow this up with a certipy auth as below, a Kerberos error is thrown upon requesting the TGT:

However, requesting the TGT and NTLM hash with Rubeus works just as expected:

And then I was able to DC Sync with CME using the NTLM hash and/or TGT:

The DC involved is a Windows Server 2022 and the CA, on a separate server specifically to facilitate the NTLM relay simulation, is Windows Server 2019. I suspect this may be an issue related to the super up-to-date version of Windows Server that the DC is running on; perhaps Certipy just hasn't been updated to cope with it yet but Rubeus has (it receives more regular updates). Any idea is appreciated, though!

[ly4k]

Hello. If you're still able to test this, Certipy just received a new patch for the authentication part. Can you verify with the latest version?