Foreword
Kerberos Armoring is a security enhancement introduced by Microsoft in its implementation of the Kerberos authentication protocol, designed to strengthen resilience and defend against various types of attacks. This feature is commonly associated with the Flexible Authentication Secure Tunneling (FAST) mechanism, which adds an extra layer of security to the authentication process.
The primary goal of Kerberos Armoring is to mitigate weaknesses in the Kerberos protocol that could be exploited by attackers to tamper with authentication processes or capture sensitive data. It helps protect against threats such as:
- Offline password brute-force attacks
- Man-in-the-middle (MITM) attacks
- Manipulation of ticket-granting tickets (TGTs)
- Replay attacks
By adding this protective layer, Kerberos Armoring enhances both the integrity and confidentiality of communications within the Kerberos framework.
Prerequesites
- Active Direcotry Domain
- Windows Server 2012 or higher
Configure GPO
First, we open Group Policy Management and create a new GPO in the “Group Policy Objects” folder.
You can choose any name you like. In my case, I’m using “C_Kerberos_Armoring”.
Right-click on the newly created GPO and select “Edit…”.
Navigate to: Computer Configuration -> Policies -> Administrative Templates -> System -> Kerberos
Look for “Kerberos client support for claims, compound authentication and Kerberos armoring”.
Open it and enable it. Click on OK.
Navigate to: Computer Configuration -> Policies -> Administrative Templates -> System -> KDC
Look for “KDC support for claims, compund authentication and Kerberos armoring”.
Open it and enable it. Select “Supported” in the drop down menu. Click on OK.
Now we need to link the new GPO to the domain.
Right-click on your domain at the top and select “Link to existing GPO…”.
Select your new GPO for Kerberos Armoring.
The GPO is now linked. That’s it.
