Kerberos Armoring is the Microsoft’s implementation of Flexible Authentication via Secure Tunneling Extensible Authentication Protocol Method (EAP-FAST) standard, is part of the framework for Kerberos Pre-authentication described in RFC4581 and RFC6113.
This article outlines the detail steps for how to deploy Kerberos armoring EAP-FAST in the Active Directory environments.
Content Summary
Requirements
Enable Kerberos armoring on domain member
Enable Kerberos armoring on domain controller
Requirements
- All domain controllers in the same domain need to run at least Windows Server 2012.
- The Active Directory domain needs to run the Windows Server 2012 Domain Functional Level (DFL), or above.
- Devices in scope for FAST need to run Windows 8, or above.
Enable Kerberos armoring on domain member
Step 1: Sign in interactively to a domain-joined Windows-based host that has the Group Policy Management feature installed.
Step 2: Open the Group Policy Management Console (gpmc.msc).
Step 3: Expand the Forest node in the left navigation pane.
Step 4: Expand the Domains node.
Step 5: Navigate to the domain where you want to enable Kerberos armoring feature.
Step 6: Expand the domain name.
Step 7: Right-click the Group Policy Objects node.
Step 8: Select the New option from the context menu.
Step 9: In the New GPO pop-up window, fill in the Name field for the GPO.
Note: Make sure that you don’t select the source starter GPO.
Step 10: Click on the OK button to create the GPO.
Step 11: Right-click the newly created GPO in the left navigation pane.
Step 12: Select the Edit… option from the context menu to open the Group Policy Management Editor window.
Step 13: In the left navigation pane of the Group Policy Management Editor window, expand the Computer Configuration > Administrative Templates > System > Kerberos.
Step 14: Double-click the Kerberos client support for claims, compound authentication and Kerberos armoring policy setting in the main pane.
Step 15: Select the Enabled option.
Step 16: Click on the OK button to save the setting.
Step 17: Close the Group Policy Management Editor window.
Step 18: Right-click the organizational unit (OU) that contains domain-joined devices and/or domain-joined servers in the Group Policy Management window.
Step 19: Select the Link an Existing GPO… from the context menu.
Step 20: Select the previously created GPO from the Group Policy objects list in the Select GPO window.
Step 21: Click on the OK button to link the GPO.
Step 22: Repeat these last four steps to apply the Group Policy object to all OUs with domain-joined hosts.
Enable Kerberos armoring on domain controller
Step 1: Sign in interactively to a domain-joined Windows-based host that has the Group Policy Management feature installed.
Step 2: Open the Group Policy Management Console (gpmc.msc).
Step 3: Expand the Forest node in the left navigation pane.
Step 4: Expand the Domains node.
Step 5: Navigate to the domain where you want to enable Kerberos armoring feature.
Step 6: Expand the domain name.
Step 7: Right-click the Group Policy Objects node.
Step 8: Select the New option from the context menu.
Step 9: In the New GPO pop-up window, fill in the Name field for the GPO.
Note: Make sure that you don’t select the source starter GPO.
Step 10: Click on the OK button to create the GPO.
Step 11: Right-click the newly created GPO in the left navigation pane.
Step 12: Select the Edit… option from the context menu to open the Group Policy Management Editor window.
Step 13: In the left navigation pane of the Group Policy Management Editor window, expand the Computer Configuration > Administrative Templates > System > KDC.
Step 14: Double-click the KDC support for claims, compound authentication and Kerberos armoring policy setting in the main pane.
Step 15: Select the Enabled option.
Step 16: Select the Fail unarmored authentication requests option from the drop-down list.
Step 17: Click on the OK button to save the setting.
Step 18: Double-click the Fail authentication requests when Kerberos armoring is not available policy setting in the main pane.
Step 19: Select the Enabled option.
Step 20: Click on the OK button to save the setting.
Step 18: Close the Group Policy Management Editor window.
Step 19: Right-click the Domain Controllers organizational unit (OU) in the Group Policy Management window.
Step 20: Select the Link an Existing GPO… from the context menu.
Step 21: Select the previously created GPO from the Group Policy objects list in the Select GPO window.
Step 22: Click on the OK button to link the GPO.
