[help wanted] AD CS /certsrv Endpoint authentication failed.

[kmahyyg]

First of all, thanks for your excellent research work.

I'm trying to reproduce it using a Windows Server 2012 R2 with no patches installed either automatically or manually.

I installed AD CS using all default options offered by the setup wizard.

When I invoke the Python script from your repo and cooperate it with ntlmrelayx from https://github.com/ExAndroidDev/impacket/tree/ntlmrelayx-adcs-attack , it just kept telling me HTTP 401 Unauthorized.

Since it's totally all default situation, I have no idea what's wrong with it to reproduce.

More information might be useful for debugging:

• Certificate can be requested via any other machine in the domain. DC itself also has a certificate. Any other machine also can request machine account certificate in GUI.
• Web Endpoint /certsrv will ask for human user credential, then it works as intended. But in this situation, machine account NTLM authentication seems not to work.
• If I replace ntlmrelayx with responder, I could successfully get a response and hash capture notice from responder, which means, at least, NTLM Relay part, works fine.

Thanks for your help in advance.

[kmahyyg]

Closed due to wrong place for submitting issues. Sorry for disturb.