Part 1: Enforcing PAC Validation via Kerberos Armoring (FAST)
Kerberos Armoring (also known as FAST – Flexible Authentication Secure Tunneling) enhances the security of Kerberos authentication. It ensures that sensitive metadata like the Privilege Attribute Certificate (PAC) is encrypted and validated, effectively mitigating attacks such as Diamond Ticket or forged PAC abuse.
Requirements
- Domain Controllers must run Windows Server 2012 or later.
- Clients must be Windows 8 or Server 2012 or later.
- Recommended domain functional level: Windows Server 2012 or higher.
Step 1: Configure Domain Controllers via Group Policy
Create or edit a GPO linked to the "Domain Controllers" Organizational Unit.
Navigate to:
Computer Configuration → Policies → Administrative Templates → System → KDC
Set the following:
- KDC support for claims, compound authentication, and Kerberos armoring: Enabled
- Value: Always provide claims and compound authentication
- KDC support for Kerberos armoring: Enabled
- Value: Supported (or Required in the final phase)
Note: Do not set this to "Required" initially unless you are certain all clients support it.
Step 2: Enable FAST Support on Clients
Create or update a GPO applied to domain-joined clients and member servers.
Navigate to:
Computer Configuration → Policies → Administrative Templates → System → Kerberos
Set:
- Support for claims, compound authentication, and Kerberos armoring: Enabled
This allows the client to participate in FAST and consume compound authentication and claims.
Step 3: Apply GPO and Reboot
After applying both policies, either reboot the systems or use the command gpupdate /force on both domain controllers and clients to apply the settings.
Part 2: Auditing Systems for FAST and PAC Validation Compatibility
Step 1: Enable Kerberos Logging on Domain Controllers
In Group Policy, enable the following settings:
Navigate to:
Computer Configuration → Policies → Windows Settings → Security Settings → Advanced Audit Policy Configuration → Audit Policies → Logon/Logoff
Enable:
- Audit Kerberos Authentication Service: Success, Failure
- Audit Kerberos Service Ticket Operations: Success, Failure
- Audit Logon: Success, Failure
- Audit Special Logon: Success
This ensures Kerberos events are logged for analysis.
Step 2: Identify Legacy or Incompatible Systems
Analyze these Event IDs:
- 4768: TGT requests (look for anomalies or failures)
- 4769: Service ticket requests (look for RC4 encryption or missing fields)
- 4771: Pre-authentication failures (may indicate incompatible clients)
- 4624: Logon success (Logon Type 3 from legacy systems)
- 4625: Logon failures
Legacy or broken implementations may request tickets using RC4 or trigger frequent failures.
Step 3: Query Logs for RC4 Usage
Run the following PowerShell on a domain controller:
This lists all Kerberos service ticket requests using legacy RC4 encryption, which may indicate outdated systems.
Part 3: Handling Incompatible Systems
Option 1: Update Systems
Upgrade the affected services, clients, or middleware to a version that supports Kerberos Armoring and PAC validation.
Option 2: Isolate Legacy Systems
Move legacy systems into a separate OU and exclude them from the GPO that enforces FAST and claims. Monitor them more aggressively.
Option 3: Conditional Rollout
Instead of enforcing FAST globally, apply it only to sensitive services or pilot groups until all systems are verified compatible.
Part 4: Phased Rollout Plan
| Phase | Action |
|---|---|
| Phase 1 | Enable audit policies and log Kerberos events |
| Phase 2 | Deploy FAST-support GPO to pilot OU (clients and DCs) |
| Phase 3 | Audit tickets for RC4 usage and compatibility |
| Phase 4 | Expand GPO coverage to all modern systems |
| Phase 5 | Segregate or replace non-compliant systems |
| Phase 6 | Change KDC policy to "Require FAST" for full enforcement |