Kerberos Armoring is the Microsoft’s implementation of Flexible Authentication via Secure Tunneling Extensible Authentication Protocol Method (EAP-FAST) standard, is part of the framework for Kerberos Pre-authentication described in RFC4581 and RFC6113.
This article outlines the detail steps for how to deploy Kerberos armoring EAP-FAST in the Active Directory environments.
Content Summary
Table of Contents
Requirements
Enable Kerberos armoring on domain member
Enable Kerberos armoring on domain controller
Requirements
- All domain controllers in the same domain need to run at least Windows Server 2012.
- The Active Directory domain needs to run the Windows Server 2012 Domain Functional Level (DFL), or above.
- Devices in scope for FAST need to run Windows 8, or above.
Enable Kerberos armoring on domain member
Step 1: Sign in interactively to a domain-joined Windows-based host that has the Group Policy Management feature installed.
Step 2: Open the Group Policy Management Console (gpmc.msc).
Step 3: Expand the Forest node in the left navigation pane.
Step 4: Expand the Domains node.
Step 5: Navigate to the domain where you want to enable Kerberos armoring feature.
Step 6: Expand the domain name.
Step 7: Right-click the Group Policy Objects node.
Step 8: Select the New option from the context menu.
Step 9: In the New GPO pop-up window, fill in the Name field for the GPO.
Note: Make sure that you don’t select the source starter GPO.
Step 10: Click on the OK button to create the GPO.
Step 11: Right-click the newly created GPO in the left navigation pane.
Step 12: Select the Edit… option from the context menu to open the Group Policy Management Editor window.
Step 13: In the left navigation pane of the Group Policy Management Editor window, expand the Computer Configuration > Administrative Templates > System > Kerberos.
Step 14: Double-click the Kerberos client support for claims, compound authentication and Kerberos armoring policy setting in the main pane.
Step 15: Select the Enabled option.
Step 16: Click on the OK button to save the setting.
Step 17: Close the Group Policy Management Editor window.
Step 18: Right-click the organizational unit (OU) that contains domain-joined devices and/or domain-joined servers in the Group Policy Management window.
Step 19: Select the Link an Existing GPO… from the context menu.
Step 20: Select the previously created GPO from the Group Policy objects list in the Select GPO window.
Step 21: Click on the OK button to link the GPO.
Step 22: Repeat these last four steps to apply the Group Policy object to all OUs with domain-joined hosts.
Enable Kerberos armoring on domain controller
Step 1: Sign in interactively to a domain-joined Windows-based host that has the Group Policy Management feature installed.
Step 2: Open the Group Policy Management Console (gpmc.msc).
Step 3: Expand the Forest node in the left navigation pane.
Step 4: Expand the Domains node.
Step 5: Navigate to the domain where you want to enable Kerberos armoring feature.
Step 6: Expand the domain name.
Step 7: Right-click the Group Policy Objects node.
Step 8: Select the New option from the context menu.
Step 9: In the New GPO pop-up window, fill in the Name field for the GPO.
Note: Make sure that you don’t select the source starter GPO.
Step 10: Click on the OK button to create the GPO.
Step 11: Right-click the newly created GPO in the left navigation pane.
Step 12: Select the Edit… option from the context menu to open the Group Policy Management Editor window.
Step 13: In the left navigation pane of the Group Policy Management Editor window, expand the Computer Configuration > Administrative Templates > System > KDC.
Step 14: Double-click the KDC support for claims, compound authentication and Kerberos armoring policy setting in the main pane.
Step 15: Select the Enabled option.
Step 16: Select the Fail unarmored authentication requests option from the drop-down list.
Step 17: Click on the OK button to save the setting.
Step 18: Double-click the Fail authentication requests when Kerberos armoring is not available policy setting in the main pane.
Step 19: Select the Enabled option.
Step 20: Click on the OK button to save the setting.
Step 18: Close the Group Policy Management Editor window.
Step 19: Right-click the Domain Controllers organizational unit (OU) in the Group Policy Management window.
Step 20: Select the Link an Existing GPO… from the context menu.
Step 21: Select the previously created GPO from the Group Policy objects list in the Select GPO window.
Step 22: Click on the OK button to link the GPO.
Alex Lim
Alex Lim is a certified IT Technical Support Architect with over 15 years of experience in designing, implementing, and troubleshooting complex IT systems and networks. He has worked for leading IT companies, such as Microsoft, IBM, and Cisco, providing technical support and solutions to clients across various industries and sectors. Alex has a bachelor’s degree in computer science from the National University of Singapore and a master’s degree in information security from the Massachusetts Institute of Technology. He is also the author of several best-selling books on IT technical support, such as The IT Technical Support Handbook and Troubleshooting IT Systems and Networks. Alex lives in Bandar, Johore, Malaysia with his wife and two chilrdren. You can reach him at [email protected] or follow him on Website | Twitter | Facebook
