{"id":15943,"date":"2022-11-09T10:00:28","date_gmt":"2022-11-09T10:00:28","guid":{"rendered":"https:\/\/exa.net.uk\/?p=15943"},"modified":"2024-05-15T17:03:18","modified_gmt":"2024-05-15T16:03:18","slug":"kerberos-from-rc4-to-aes","status":"publish","type":"post","link":"https:\/\/edit.exa.net.uk\/knowledge-hub\/technical\/kerberos-from-rc4-to-aes\/","title":{"rendered":"Kerberos from RC4 to AES"},"content":{"rendered":"\t\t<div data-elementor-type=\"wp-post\" data-elementor-id=\"15943\" data-post-id=\"15943\" data-obj-id=\"15943\" class=\"elementor elementor-15943 dce-elementor-post-15943\" data-elementor-post-type=\"post\">\n\t\t\t\t\t\t<section class=\"has_eae_slider elementor-section elementor-top-section elementor-element elementor-element-2e642dc0 elementor-section-boxed elementor-section-height-default elementor-section-height-default\" data-dce-background-image-url=\"https:\/\/exa.net.uk\/wp-content\/uploads\/2022\/11\/blog-post-top.png\" data-id=\"2e642dc0\" data-element_type=\"section\" data-settings=\"{&quot;background_background&quot;:&quot;classic&quot;,&quot;jet_parallax_layout_list&quot;:[{&quot;_id&quot;:&quot;6d8e4b3&quot;,&quot;jet_parallax_layout_image&quot;:{&quot;url&quot;:&quot;&quot;,&quot;id&quot;:&quot;&quot;,&quot;size&quot;:&quot;&quot;},&quot;jet_parallax_layout_image_tablet&quot;:{&quot;url&quot;:&quot;&quot;,&quot;id&quot;:&quot;&quot;,&quot;size&quot;:&quot;&quot;},&quot;jet_parallax_layout_image_mobile&quot;:{&quot;url&quot;:&quot;&quot;,&quot;id&quot;:&quot;&quot;,&quot;size&quot;:&quot;&quot;},&quot;jet_parallax_layout_speed&quot;:{&quot;unit&quot;:&quot;%&quot;,&quot;size&quot;:50,&quot;sizes&quot;:[]},&quot;jet_parallax_layout_type&quot;:&quot;scroll&quot;,&quot;jet_parallax_layout_direction&quot;:null,&quot;jet_parallax_layout_fx_direction&quot;:null,&quot;jet_parallax_layout_z_index&quot;:&quot;&quot;,&quot;jet_parallax_layout_bg_x&quot;:50,&quot;jet_parallax_layout_bg_x_tablet&quot;:&quot;&quot;,&quot;jet_parallax_layout_bg_x_mobile&quot;:&quot;&quot;,&quot;jet_parallax_layout_bg_y&quot;:50,&quot;jet_parallax_layout_bg_y_tablet&quot;:&quot;&quot;,&quot;jet_parallax_layout_bg_y_mobile&quot;:&quot;&quot;,&quot;jet_parallax_layout_bg_size&quot;:&quot;auto&quot;,&quot;jet_parallax_layout_bg_size_tablet&quot;:&quot;&quot;,&quot;jet_parallax_layout_bg_size_mobile&quot;:&quot;&quot;,&quot;jet_parallax_layout_animation_prop&quot;:&quot;transform&quot;,&quot;jet_parallax_layout_on&quot;:[&quot;desktop&quot;,&quot;tablet&quot;]}]}\">\n\t\t\t\t\t\t<div class=\"elementor-container elementor-column-gap-default\">\n\t\t\t\t\t<div class=\"has_eae_slider elementor-column elementor-col-100 elementor-top-column elementor-element elementor-element-56af8b04\" data-id=\"56af8b04\" data-element_type=\"column\" data-settings=\"{&quot;background_background&quot;:&quot;classic&quot;}\">\n\t\t\t<div class=\"elementor-widget-wrap elementor-element-populated\">\n\t\t\t\t\t\t<div data-dce-background-color=\"#FFFFFF\" class=\"elementor-element elementor-element-3a1d4750 master-btn-width elementor-mobile-align-center elementor-widget__width-auto elementor-widget-mobile__width-inherit elementor-absolute elementor-widget elementor-widget-button\" data-id=\"3a1d4750\" data-element_type=\"widget\" data-settings=\"{&quot;_position&quot;:&quot;absolute&quot;}\" data-widget_type=\"button.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t<div class=\"elementor-button-wrapper\">\n\t\t\t<a class=\"elementor-button elementor-button-link elementor-size-sm\" href=\"https:\/\/exa.net.uk\/knowledge-hub\/\" target=\"_blank\" rel=\"noopener\">\n\t\t\t\t\t\t<span class=\"elementor-button-content-wrapper\">\n\t\t\t\t\t\t<span class=\"elementor-button-icon\">\n\t\t\t\t<i aria-hidden=\"true\" class=\"fas fa-caret-left\"><\/i>\t\t\t<\/span>\n\t\t\t\t\t\t\t\t\t<span class=\"elementor-button-text\">Knowledge Hub<\/span>\n\t\t\t\t\t<\/span>\n\t\t\t\t\t<\/a>\n\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-7553618a elementor-widget__width-auto elementor-widget elementor-widget-heading\" data-id=\"7553618a\" data-element_type=\"widget\" data-widget_type=\"heading.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t<h2 class=\"elementor-heading-title elementor-size-default\">Knowledge <span class=\"lightblue\">Hub<\/span><sup class=\"blog-tm\">TM<\/sup><span class=\"hub-image\"><img decoding=\"async\" src=\"https:\/\/exa.net.uk\/wp-content\/uploads\/2021\/02\/education.svg\" alt=\"\" title=\"\"><\/span><\/h2>\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-2b0479e9 elementor-widget__width-initial elementor-widget elementor-widget-theme-post-title elementor-page-title elementor-widget-heading\" data-id=\"2b0479e9\" data-element_type=\"widget\" data-widget_type=\"theme-post-title.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t<h1 class=\"elementor-heading-title elementor-size-default\">Kerberos from RC4 to AES<\/h1>\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-103f2b65 elementor-widget__width-initial elementor-hidden-phone elementor-widget elementor-widget-spacer\" data-id=\"103f2b65\" data-element_type=\"widget\" data-widget_type=\"spacer.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t<div class=\"elementor-spacer\">\n\t\t\t<div class=\"elementor-spacer-inner\"><\/div>\n\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-545bb243 elementor-mobile-align-center elementor-align-center elementor-widget__width-initial post-info elementor-widget elementor-widget-post-info\" data-id=\"545bb243\" data-element_type=\"widget\" data-widget_type=\"post-info.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t<ul class=\"elementor-inline-items elementor-icon-list-items elementor-post-info\">\n\t\t\t\t\t\t\t\t<li class=\"elementor-icon-list-item elementor-repeater-item-ba9c996 elementor-inline-item\" itemprop=\"datePublished\">\n\t\t\t\t\t\t\t\t\t\t\t\t\t<span class=\"elementor-icon-list-text elementor-post-info__item elementor-post-info__item--type-date\">\n\t\t\t\t\t\t\t<span class=\"elementor-post-info__item-prefix\">Date Posted:<\/span>\n\t\t\t\t\t\t\t\t\t\t<time>09.11.2022<\/time>\t\t\t\t\t<\/span>\n\t\t\t\t\t\t\t\t<\/li>\n\t\t\t\t<li class=\"elementor-icon-list-item elementor-repeater-item-7e61590 elementor-inline-item\" itemprop=\"about\">\n\t\t\t\t\t\t\t\t\t\t\t\t\t<span class=\"elementor-icon-list-text elementor-post-info__item elementor-post-info__item--type-terms\">\n\t\t\t\t\t\t\t<span class=\"elementor-post-info__item-prefix\">Read time:<\/span>\n\t\t\t\t\t\t\t\t\t\t<span class=\"elementor-post-info__terms-list\">\n\t\t\t\t<span class=\"elementor-post-info__terms-list-item\">11 min read<\/span>\t\t\t\t<\/span>\n\t\t\t\t\t<\/span>\n\t\t\t\t\t\t\t\t<\/li>\n\t\t\t\t<li class=\"elementor-icon-list-item elementor-repeater-item-a339c7b elementor-inline-item\" itemprop=\"author\">\n\t\t\t\t\t\t\t\t\t\t\t\t\t<span class=\"elementor-icon-list-text elementor-post-info__item elementor-post-info__item--type-author\">\n\t\t\t\t\t\t\t<span class=\"elementor-post-info__item-prefix\">Written by:<\/span>\n\t\t\t\t\t\t\t\t\t\tExa Networks\t\t\t\t\t<\/span>\n\t\t\t\t\t\t\t\t<\/li>\n\t\t\t\t<\/ul>\n\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-33be5e0b elementor-widget__width-initial elementor-hidden-phone elementor-widget elementor-widget-spacer\" data-id=\"33be5e0b\" data-element_type=\"widget\" data-widget_type=\"spacer.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t<div class=\"elementor-spacer\">\n\t\t\t<div class=\"elementor-spacer-inner\"><\/div>\n\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t<section class=\"has_eae_slider elementor-section elementor-top-section elementor-element elementor-element-8587caa elementor-section-boxed elementor-section-height-default elementor-section-height-default\" data-id=\"8587caa\" data-element_type=\"section\" id=\"main-article\" data-settings=\"{&quot;jet_parallax_layout_list&quot;:[{&quot;_id&quot;:&quot;5fc546a&quot;,&quot;jet_parallax_layout_image&quot;:{&quot;url&quot;:&quot;&quot;,&quot;id&quot;:&quot;&quot;,&quot;size&quot;:&quot;&quot;},&quot;jet_parallax_layout_image_tablet&quot;:{&quot;url&quot;:&quot;&quot;,&quot;id&quot;:&quot;&quot;,&quot;size&quot;:&quot;&quot;},&quot;jet_parallax_layout_image_mobile&quot;:{&quot;url&quot;:&quot;&quot;,&quot;id&quot;:&quot;&quot;,&quot;size&quot;:&quot;&quot;},&quot;jet_parallax_layout_speed&quot;:{&quot;unit&quot;:&quot;%&quot;,&quot;size&quot;:50,&quot;sizes&quot;:[]},&quot;jet_parallax_layout_type&quot;:&quot;scroll&quot;,&quot;jet_parallax_layout_direction&quot;:null,&quot;jet_parallax_layout_fx_direction&quot;:null,&quot;jet_parallax_layout_z_index&quot;:&quot;&quot;,&quot;jet_parallax_layout_bg_x&quot;:50,&quot;jet_parallax_layout_bg_x_tablet&quot;:&quot;&quot;,&quot;jet_parallax_layout_bg_x_mobile&quot;:&quot;&quot;,&quot;jet_parallax_layout_bg_y&quot;:50,&quot;jet_parallax_layout_bg_y_tablet&quot;:&quot;&quot;,&quot;jet_parallax_layout_bg_y_mobile&quot;:&quot;&quot;,&quot;jet_parallax_layout_bg_size&quot;:&quot;auto&quot;,&quot;jet_parallax_layout_bg_size_tablet&quot;:&quot;&quot;,&quot;jet_parallax_layout_bg_size_mobile&quot;:&quot;&quot;,&quot;jet_parallax_layout_animation_prop&quot;:&quot;transform&quot;,&quot;jet_parallax_layout_on&quot;:[&quot;desktop&quot;,&quot;tablet&quot;]}]}\">\n\t\t\t\t\t\t<div class=\"elementor-container elementor-column-gap-default\">\n\t\t\t\t\t<div class=\"has_eae_slider elementor-column elementor-col-50 elementor-top-column elementor-element elementor-element-3bf7379a\" data-id=\"3bf7379a\" data-element_type=\"column\">\n\t\t\t<div class=\"elementor-widget-wrap elementor-element-populated\">\n\t\t\t\t\t\t<div class=\"elementor-element elementor-element-7caea28c custom-posts elementor-widget elementor-widget-text-editor\" data-id=\"7caea28c\" data-element_type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t<h4>Among the patches published by Microsoft in its November 2022 security update, kerberos protocol changes described in <a href=\"https:\/\/support.microsoft.com\/en-gb\/topic\/kb5021131-how-to-manage-the-kerberos-protocol-changes-related-to-cve-2022-37966-fd837ac3-cdec-4e76-a6ec-86e67501407d\" target=\"_blank\" rel=\"noopener\">KB5021131<\/a> affected a small number of SurfProtect customers, who were initially unable to authenticate users when using our Windows SSO service.<\/h4><p>This change was linked to the as-yet undisclosed vulnerability <a href=\"https:\/\/msrc.microsoft.com\/update-guide\/vulnerability\/CVE-2022-37966\" target=\"_blank\" rel=\"noopener\">CVE-2022-37966<\/a>, which is mitigated by setting the default encryption type as AES on accounts that are not already marked with a default value. We have historically required Kerberos tokens to be encrypted using the RC4 cipher due to support across all of our customer installations and this change resulted in our servers refusing to serve web content since we were unable to verify user identity.<\/p><p>To restore service for the affected customers, our engineers deployed an update across the SurfProtect proxy servers to enable support for AES. This change ensures that the Microsoft patches can be applied with no need for any intervention by local administrators in order for SurfProtect SSO to continue to function as normal.<\/p>\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-39e59686 elementor-widget elementor-widget-heading\" data-id=\"39e59686\" data-element_type=\"widget\" data-widget_type=\"heading.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t<h2 class=\"elementor-heading-title elementor-size-default\">Update<\/h2>\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-68ae8fa7 custom-posts elementor-widget elementor-widget-text-editor\" data-id=\"68ae8fa7\" data-element_type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t<p>Our engineers recently undertook work to add support for AES in the SurfProtect web proxy. This change addresses concerns about the security of RC4-HMAC, as detailed below, and also provides a migration path in anticipation of client support being withdrawn for the deprecated encryption mechanism.<\/p><p>Before the release of Microsoft&#8217;s November 2022 security update, AES support was rolled out to a limited number of customers and verified to be functional. After a small number of sites experienced errors when attempting to access the SurfProtect Active Directory service, the decision was made to expedite deployment of the feature and emergency maintenance was performed to push the feature to all of our SurfProtect clusters.<\/p>\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-31c4da47 custom-posts elementor-widget elementor-widget-text-editor\" data-id=\"31c4da47\" data-element_type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t<p>Due to the ongoing phased rollout of the new SurfProtect software stack, some servers in both London and Manchester were not able to accept the update without additional changes and work is scheduled for this weekend, beginning 2022-11-12, to migrate them to the new software. This older version of the service responds differently to the new default when encountering errors decoding Kerberos tokens and fails open so that users are filtered with a default profile. We are actively monitoring for this behaviour and will migrate affected customers directly to the new platform in order to avoid unexpected filtering behaviour.<\/p><p>Most customers on the new platform are still providing proof of identity encrypted with RC4 but instructions for manually switching to AES are provided at the end of this article. Details of the upcoming service migration are available on our\u00a0<a href=\"https:\/\/status.exa.co.uk\/\" target=\"_blank\" rel=\"noopener\">status page<\/a>\u00a0and we recommend waiting for confirmation that the work was carried out before making any changes.<\/p>\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-54ea302 elementor-widget elementor-widget-heading\" data-id=\"54ea302\" data-element_type=\"widget\" data-widget_type=\"heading.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t<h2 class=\"elementor-heading-title elementor-size-default\">Background<\/h2>\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-d62e092 elementor-widget elementor-widget-text-editor\" data-id=\"d62e092\" data-element_type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\tThe initial release of SurfProtect Quantum focused on supporting as wide a userbase as possible in as consistent a manner as possible, and the lack of ubiquitous support for AES from client devices at the time meant that defaulting to RC4 for Windows integration was considered to be the best option.\n\nEven at the time, the use of RC4 was considered to be insecure and there were known vulnerabilities that allow for an attacker to determine the password of a service account on the target AD server. While the RC4 cipher itself is considered broken, this isn&#8217;t an issue in practice since the RC4-HMAC-MD5 scheme used by Kerberos guards against cryptanalysis by essentially ensuring that every ticket issued by an AD server is encrypted with a unique key. Rather, the weaknesses associated with its use are due to the historical need to derive as user&#8217;s encryption key from their own password hash.\n\nWhen Windows 2000 replaced the NT LAN Manager (NTLM) authentication protocols in favour of Kerberos, it was necessary to provide a transparent migration path for existing user accounts. Conveniently,\u00a0<a href=\"https:\/\/www.rfc-editor.org\/rfc\/rfc3961\" style=\"color: #009fe3;\" target=\"_blank\" rel=\"noopener\">RFC-3961<\/a>\u00a0defines that Kerberos encryption mechanisms must implement the operation\u00a0<code style=\"background: lightgrey;\">string-to-key<\/code>.\n\n<a href=\"https:\/\/www.rfc-editor.org\/rfc\/rfc4757\" style=\"color: #009fe3;\" target=\"_blank\" rel=\"noopener\">RFC-4757<\/a>\u00a0(The RC4-HMAC Kerberos Encryption Types Used by Microsoft Windows) declares that:\n<blockquote>On upgrade from existing Windows NT domains, the user accounts would not have a DES-based key available to enable the use of DES base encryption types specified in [RFC4120] and [RFC3961]. The key used for RC4-HMAC is the same as the existing Windows NT key (NT Password Hash) for compatibility reasons.<\/blockquote>\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-5e1370cc elementor-widget elementor-widget-text-editor\" data-id=\"5e1370cc\" data-element_type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t<p>So, effectively, the string-to-key function used by RC4-HMAC returns the NTLM hash of a user&#8217;s password.<\/p><p>NTLM password hashes are constructed from a single pass of the MD4 algorithm over the user&#8217;s password in UTF-16LE format, producing a 16-byte key that wouldn&#8217;t be practical to brute force. They had the undeniable benefit of being available from data migrated from existing NT domains but unfortunately don&#8217;t themselves provide protection against brute force attacks: in particular, they lack salts and require only a single iteration of the MD4 algorithm so an attacker can feasibly search in a practical amount of time through all the possible keys that can be generated from weak passwords.<\/p>\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-9921dbc elementor-widget elementor-widget-text-editor\" data-id=\"9921dbc\" data-element_type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t<p>Fortunately, this isn&#8217;t actually useful for compromising normal user accounts thanks to pre-authentication, where a client is required to prove that it already knows the user&#8217;s password hash before the server will respond to authentication requests. In the case of services such as SurfProtect where Kerberos is used to prove user identity for Single Sign-on, however, any domain-authenticated user with rights to access the service will on request be provided with a Service Ticket. This ticket is encrypted with a key derived from the corresponding service-user password and can therefore be used to potentially identify that service user&#8217;s password with no need for any further interaction with the AD server or remote service.<\/p><p>Typically it&#8217;s expected that service accounts may require elevated privilages so the attacker, who already has local user access to the domain, has now gained administrator rights. Since the SurfProtect account is created with no elevated privileges, the impact of a local user gaining access is significantly reduced.<\/p>\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-0cd8e5d elementor-widget elementor-widget-heading\" data-id=\"0cd8e5d\" data-element_type=\"widget\" data-widget_type=\"heading.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t<h2 class=\"elementor-heading-title elementor-size-default\">Mitigation<\/h2>\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-5d9d54e0 elementor-widget elementor-widget-text-editor\" data-id=\"5d9d54e0\" data-element_type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\tCustomers wishing to precipitate the switch to using AES can do so through the Active Directory Users and Computers (ADUC) tool on their AD Domain Controller.\n\nRight-click on the\u00a0<em>surfprotect<\/em>\u00a0user and select\u00a0<code style=\"background: lightgrey;\">properties<\/code>\u00a0to open the properties window, then navigate to the tab labelled\u00a0<code style=\"background: lightgrey;\">Account<\/code>. Scroll through the\u00a0<code style=\"background: lightgrey;\">Account Options<\/code>\u00a0and check one or both of: &#8211; This account supports Kerberos AES 128 bit encryption &#8211; This account supports Kerberos AES 256 bit encryption\n\nClick on\u00a0<code style=\"background: lightgrey;\">Apply<\/code>\u00a0and users will immediately begin to receive AES-encrypted service tickets the next time the log in and start to use the SurfProtect service.\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<section class=\"has_eae_slider elementor-section elementor-inner-section elementor-element elementor-element-306a1079 elementor-section-content-middle elementor-section-boxed elementor-section-height-default elementor-section-height-default\" data-id=\"306a1079\" data-element_type=\"section\" data-settings=\"{&quot;jet_parallax_layout_list&quot;:[{&quot;_id&quot;:&quot;62e95af&quot;,&quot;jet_parallax_layout_image&quot;:{&quot;url&quot;:&quot;&quot;,&quot;id&quot;:&quot;&quot;,&quot;size&quot;:&quot;&quot;},&quot;jet_parallax_layout_image_tablet&quot;:{&quot;url&quot;:&quot;&quot;,&quot;id&quot;:&quot;&quot;,&quot;size&quot;:&quot;&quot;},&quot;jet_parallax_layout_image_mobile&quot;:{&quot;url&quot;:&quot;&quot;,&quot;id&quot;:&quot;&quot;,&quot;size&quot;:&quot;&quot;},&quot;jet_parallax_layout_speed&quot;:{&quot;unit&quot;:&quot;%&quot;,&quot;size&quot;:50,&quot;sizes&quot;:[]},&quot;jet_parallax_layout_type&quot;:&quot;scroll&quot;,&quot;jet_parallax_layout_direction&quot;:null,&quot;jet_parallax_layout_fx_direction&quot;:null,&quot;jet_parallax_layout_z_index&quot;:&quot;&quot;,&quot;jet_parallax_layout_bg_x&quot;:50,&quot;jet_parallax_layout_bg_x_tablet&quot;:&quot;&quot;,&quot;jet_parallax_layout_bg_x_mobile&quot;:&quot;&quot;,&quot;jet_parallax_layout_bg_y&quot;:50,&quot;jet_parallax_layout_bg_y_tablet&quot;:&quot;&quot;,&quot;jet_parallax_layout_bg_y_mobile&quot;:&quot;&quot;,&quot;jet_parallax_layout_bg_size&quot;:&quot;auto&quot;,&quot;jet_parallax_layout_bg_size_tablet&quot;:&quot;&quot;,&quot;jet_parallax_layout_bg_size_mobile&quot;:&quot;&quot;,&quot;jet_parallax_layout_animation_prop&quot;:&quot;transform&quot;,&quot;jet_parallax_layout_on&quot;:[&quot;desktop&quot;,&quot;tablet&quot;]}]}\">\n\t\t\t\t\t\t<div class=\"elementor-container elementor-column-gap-default\">\n\t\t\t\t\t<div class=\"has_eae_slider elementor-column elementor-col-50 elementor-inner-column elementor-element elementor-element-2f96de0b\" data-id=\"2f96de0b\" data-element_type=\"column\">\n\t\t\t<div class=\"elementor-widget-wrap elementor-element-populated\">\n\t\t\t\t\t\t<div class=\"elementor-element elementor-element-57c995e0 next-read-section elementor-widget elementor-widget-heading\" data-id=\"57c995e0\" data-element_type=\"widget\" data-widget_type=\"heading.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t<p class=\"elementor-heading-title elementor-size-default\"><span class=\"lightblue\">Suggested<\/span> Next Read <span class=\"lightblue\"><i class=\"fas fa-caret-right\"><\/i><\/span><\/p>\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t<div class=\"has_eae_slider elementor-column elementor-col-50 elementor-inner-column elementor-element elementor-element-4ae5de96\" data-id=\"4ae5de96\" data-element_type=\"column\">\n\t\t\t<div class=\"elementor-widget-wrap elementor-element-populated\">\n\t\t\t\t\t\t<div class=\"elementor-element elementor-element-d8dcf6f custom-slider blog-slide custom-slider-green elementor-widget__width-initial elementor-widget elementor-widget-ucaddon_uc_card_post_carousel_blog\" data-id=\"d8dcf6f\" data-element_type=\"widget\" data-widget_type=\"ucaddon_uc_card_post_carousel_blog.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\n<!-- start Card Post Carousel - Blog -->\n\t\t<link id='font-awesome-css' href='https:\/\/edit.exa.net.uk\/wp-content\/plugins\/unlimited-elements-for-elementor\/assets_libraries\/font-awesome6\/fontawesome-all.min.css' type='text\/css' rel='stylesheet' >\n\t\t<link id='font-awesome-4-shim-css' href='https:\/\/edit.exa.net.uk\/wp-content\/plugins\/unlimited-elements-for-elementor\/assets_libraries\/font-awesome6\/fontawesome-v4-shims.min.css' type='text\/css' rel='stylesheet' >\n\t\t<link id='owl-carousel-css' href='https:\/\/edit.exa.net.uk\/wp-content\/plugins\/unlimited-elements-for-elementor\/assets_libraries\/owl-carousel\/assets\/owl.carousel.css' type='text\/css' rel='stylesheet' >\n\n<style>\/* widget: Card Post Carousel - Blog *\/\n\n#uc_uc_card_post_carousel_blog_elementor_d8dcf6f *{\n  box-sizing:border-box;\n}\n#uc_uc_card_post_carousel_blog_elementor_d8dcf6f{\n  position:relative;\n}\n#uc_uc_card_post_carousel_blog_elementor_d8dcf6f .uc_image_carousel_content{\n\ttext-align:left;\n    display: flex;\n     flex-flow: column nowrap;\n}\n#uc_uc_card_post_carousel_blog_elementor_d8dcf6f .ue_post_carousel_item\n{\n  overflow:hidden;\n  \n}\n\n#uc_uc_card_post_carousel_blog_elementor_d8dcf6f .ue_post_btn_holder\n{\n  margin-top:auto;\n}\n\n#uc_uc_card_post_carousel_blog_elementor_d8dcf6f .uc_more_btn{\n\n  display:inline-block;\n  text-align:center;\n  text-decoration:none;\n} \n\n.uc_overlay_image_carousel .uc_more_btn{\n  text-decoration:none;\n  display:inline-block;\n}\n\n.uc_overlay_image_carousel .uc_post_title{\n  font-size:21px;\n  text-decoration:none;\n}\n\n#uc_uc_card_post_carousel_blog_elementor_d8dcf6f .owl-nav .owl-prev{\n    position:absolute;\n    left:-40px;\n    display:inline-block;\n    text-align:center;\n}\n#uc_uc_card_post_carousel_blog_elementor_d8dcf6f .owl-nav .owl-next{\n  position:absolute;\n    right:-40px;\n  display:inline-block;\n  text-align:center;\n}\n\n\n#uc_uc_card_post_carousel_blog_elementor_d8dcf6f .owl-dots {\noverflow:hidden;\ndisplay:false !important;\ntext-align:center;\n}\n\n#uc_uc_card_post_carousel_blog_elementor_d8dcf6f .owl-dot {\nborder-radius:50%;\ndisplay:inline-block;\n}\n\n<\/style>\n\n<div class=\"uc_overlay_image_carousel\" id=\"uc_uc_card_post_carousel_blog_elementor_d8dcf6f\" style=\"direction:ltr;\">\n   <div class=\"uc_carousel owl-carousel owl-theme\">\n   \t\t<div class=\"uc_image_carousel_container_holder ue_post_carousel_item\">\n  <div class=\"uc_image_carousel_placeholder\">\n    <a href=\"https:\/\/edit.exa.net.uk\/knowledge-hub\/technical\/ensuring-robust-security-through-regular-firewall-updates\/\">\n\t\t\n      <div class=\"custom-slider-bg\" style=\"background-image:url(https:\/\/edit.exa.net.uk\/wp-content\/uploads\/2021\/03\/fortinet-logo.svg); background-size:cover; background-position:center; height:115px;\">\n\t\t<div class=\"color-bg\">\n\t\t\t<div class=\"content-info\">\n\t\t\t\t<a href=\"https:\/\/edit.exa.net.uk\/knowledge-hub\/technical\/ensuring-robust-security-through-regular-firewall-updates\/\" style=\"text-decoration:none;\"><div class=\"uc_post_title\" style=\"text-decoration:none;\">Ensuring Robust Security Through Regular Firewall Updates<\/div><\/a>\t\t\t<\/div>\n\t\t\n\t\t<\/div>\n      <\/div>\n\t<\/a>\n  <\/div>\n\n  <div class=\"uc_image_carousel_content\" >\n    <a class=\"post-link\" href=\"https:\/\/edit.exa.net.uk\/knowledge-hub\/technical\/ensuring-robust-security-through-regular-firewall-updates\/\">Read Next<\/a>  <\/div>\n<\/div>\n\n   <\/div>\t\n<\/div>\n<!-- end Card Post Carousel - Blog -->\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t<div class=\"elementor-element elementor-element-56c79c98 elementor-widget__width-initial elementor-hidden-phone elementor-widget elementor-widget-spacer\" data-id=\"56c79c98\" data-element_type=\"widget\" data-widget_type=\"spacer.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t<div class=\"elementor-spacer\">\n\t\t\t<div class=\"elementor-spacer-inner\"><\/div>\n\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t<div class=\"has_eae_slider jet-sticky-column elementor-column elementor-col-50 elementor-top-column elementor-element elementor-element-52f48463\" data-jet-settings=\"{&quot;id&quot;:&quot;52f48463&quot;,&quot;sticky&quot;:true,&quot;topSpacing&quot;:155,&quot;bottomSpacing&quot;:50,&quot;stickyOn&quot;:[&quot;desktop&quot;,&quot;tablet&quot;]}\" data-id=\"52f48463\" data-element_type=\"column\">\n\t\t\t<div class=\"elementor-widget-wrap elementor-element-populated\">\n\t\t\t\t\t\t<div class=\"elementor-element elementor-element-5b42788c elementor-widget elementor-widget-heading\" data-id=\"5b42788c\" data-element_type=\"widget\" data-widget_type=\"heading.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t<h2 class=\"elementor-heading-title elementor-size-default\"><span class=\"lightblue\">Related<\/span> Knowledge <span class=\"lightblue\">Hub<\/span>&trade; Articles<\/h2>\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-613dd224 elementor-grid-1 elementor-grid-tablet-1 elementor-posts--thumbnail-top elementor-grid-mobile-1 elementor-widget elementor-widget-posts\" data-id=\"613dd224\" data-element_type=\"widget\" data-settings=\"{&quot;custom_columns&quot;:&quot;1&quot;,&quot;custom_row_gap&quot;:{&quot;unit&quot;:&quot;px&quot;,&quot;size&quot;:25,&quot;sizes&quot;:[]},&quot;custom_columns_tablet&quot;:&quot;1&quot;,&quot;custom_columns_mobile&quot;:&quot;1&quot;,&quot;custom_row_gap_tablet&quot;:{&quot;unit&quot;:&quot;px&quot;,&quot;size&quot;:&quot;&quot;,&quot;sizes&quot;:[]},&quot;custom_row_gap_mobile&quot;:{&quot;unit&quot;:&quot;px&quot;,&quot;size&quot;:&quot;&quot;,&quot;sizes&quot;:[]}}\" data-widget_type=\"posts.custom\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t      <div class=\"ecs-posts elementor-posts-container elementor-posts   elementor-grid elementor-posts--skin-custom\" data-settings=\"{&quot;current_page&quot;:1,&quot;max_num_pages&quot;:0,&quot;load_method&quot;:&quot;&quot;,&quot;widget_id&quot;:&quot;613dd224&quot;,&quot;post_id&quot;:15943,&quot;theme_id&quot;:15943,&quot;change_url&quot;:false,&quot;reinit_js&quot;:false}\">\n      <div class=\"elementor-posts-nothing-found\"><\/div>\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-6bf5c137 next-read-section elementor-widget elementor-widget-heading\" data-id=\"6bf5c137\" data-element_type=\"widget\" data-widget_type=\"heading.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t<p class=\"elementor-heading-title elementor-size-default\"><a href=\"https:\/\/exa.net.uk\/knowledge-hub\/\" target=\"_blank\" rel=\"noopener\">Knowledge <span class=\"lightblue\">Hub<\/span>&trade; <span class=\"lightblue\">Home<\/span> <i class=\"fas fa-chevron-right\"><\/i><\/a><\/p>\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t<\/div>\n\t\t","protected":false},"excerpt":{"rendered":"<p>Knowledge Hub Knowledge HubTM Among the patches published by Microsoft in its November 2022 security update, kerberos protocol changes described in KB5021131 affected a small number of SurfProtect customers, who were initially unable to authenticate users when using our Windows SSO service. This change was linked to the as-yet undisclosed vulnerability CVE-2022-37966, which is mitigated &#8230; <a title=\"Kerberos from RC4 to AES\" class=\"read-more\" href=\"https:\/\/edit.exa.net.uk\/knowledge-hub\/technical\/kerberos-from-rc4-to-aes\/\" aria-label=\"Read more about Kerberos from RC4 to AES\">Read more<\/a><\/p>\n","protected":false},"author":4,"featured_media":22928,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"elementor_header_footer","format":"standard","meta":{"rank_math_lock_modified_date":false,"footnotes":""},"categories":[73],"tags":[29],"class_list":["post-15943","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-technical","tag-11-min-read"],"_links":{"self":[{"href":"https:\/\/edit.exa.net.uk\/wp-json\/wp\/v2\/posts\/15943","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/edit.exa.net.uk\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/edit.exa.net.uk\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/edit.exa.net.uk\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"https:\/\/edit.exa.net.uk\/wp-json\/wp\/v2\/comments?post=15943"}],"version-history":[{"count":1,"href":"https:\/\/edit.exa.net.uk\/wp-json\/wp\/v2\/posts\/15943\/revisions"}],"predecessor-version":[{"id":22927,"href":"https:\/\/edit.exa.net.uk\/wp-json\/wp\/v2\/posts\/15943\/revisions\/22927"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/edit.exa.net.uk\/wp-json\/wp\/v2\/media\/22928"}],"wp:attachment":[{"href":"https:\/\/edit.exa.net.uk\/wp-json\/wp\/v2\/media?parent=15943"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/edit.exa.net.uk\/wp-json\/wp\/v2\/categories?post=15943"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/edit.exa.net.uk\/wp-json\/wp\/v2\/tags?post=15943"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}