Skip to Content

Solved: How do I enable Kerberos armoring EAP-FAST in AD environment?

Kerberos Armoring is the Microsoft’s implementation of Flexible Authentication via Secure Tunneling Extensible Authentication Protocol Method (EAP-FAST) standard, is part of the framework for Kerberos Pre-authentication described in RFC4581 and RFC6113.

This article outlines the detail steps for how to deploy Kerberos armoring EAP-FAST in the Active Directory environments.

Content Summary

Requirements
Enable Kerberos armoring on domain member
Enable Kerberos armoring on domain controller

Requirements

  • All domain controllers in the same domain need to run at least Windows Server 2012.
  • The Active Directory domain needs to run the Windows Server 2012 Domain Functional Level (DFL), or above.
  • Devices in scope for FAST need to run Windows 8, or above.

Enable Kerberos armoring on domain member

Step 1: Sign in interactively to a domain-joined Windows-based host that has the Group Policy Management feature installed.

Step 2: Open the Group Policy Management Console (gpmc.msc).

Step 3: Expand the Forest node in the left navigation pane.

Step 4: Expand the Domains node.

Step 5: Navigate to the domain where you want to enable Kerberos armoring feature.

Step 6: Expand the domain name.

Step 7: Right-click the Group Policy Objects node.

Step 8: Select the New option from the context menu.

Step 9: In the New GPO pop-up window, fill in the Name field for the GPO.

Note: Make sure that you don’t select the source starter GPO.

Step 10: Click on the OK button to create the GPO.

Step 11: Right-click the newly created GPO in the left navigation pane.

Step 12: Select the Edit… option from the context menu to open the Group Policy Management Editor window.

Step 13: In the left navigation pane of the Group Policy Management Editor window, expand the Computer Configuration > Administrative Templates > System > Kerberos.

Step 14: Double-click the Kerberos client support for claims, compound authentication and Kerberos armoring policy setting in the main pane.

Step 15: Select the Enabled option.

Double-click the Kerberos client support for claims, compound authentication and Kerberos armoring policy setting in the main pane.  Select the Enabled option.

Step 16: Click on the OK button to save the setting.

Step 17: Close the Group Policy Management Editor window.

Step 18: Right-click the organizational unit (OU) that contains domain-joined devices and/or domain-joined servers in the Group Policy Management window.

Step 19: Select the Link an Existing GPO… from the context menu.

Step 20: Select the previously created GPO from the Group Policy objects list in the Select GPO window.

Step 21: Click on the OK button to link the GPO.

Step 22: Repeat these last four steps to apply the Group Policy object to all OUs with domain-joined hosts.

Enable Kerberos armoring on domain controller

Step 1: Sign in interactively to a domain-joined Windows-based host that has the Group Policy Management feature installed.

Step 2: Open the Group Policy Management Console (gpmc.msc).

Step 3: Expand the Forest node in the left navigation pane.

Step 4: Expand the Domains node.

Step 5: Navigate to the domain where you want to enable Kerberos armoring feature.

Step 6: Expand the domain name.

Step 7: Right-click the Group Policy Objects node.

Step 8: Select the New option from the context menu.

Step 9: In the New GPO pop-up window, fill in the Name field for the GPO.

Note: Make sure that you don’t select the source starter GPO.

Step 10: Click on the OK button to create the GPO.

Step 11: Right-click the newly created GPO in the left navigation pane.

Step 12: Select the Edit… option from the context menu to open the Group Policy Management Editor window.

Step 13: In the left navigation pane of the Group Policy Management Editor window, expand the Computer Configuration > Administrative Templates > System > KDC.

Step 14: Double-click the KDC support for claims, compound authentication and Kerberos armoring policy setting in the main pane.

Step 15: Select the Enabled option.

Step 16: Select the Fail unarmored authentication requests option from the drop-down list.

Step 17: Click on the OK button to save the setting.

Double-click the KDC support for claims, compound authentication and Kerberos armoring policy setting in the main pane. Select the Enabled option. Select the Fail unarmored authentication requests option from the drop-down list. Click on the OK button to save the setting.

Step 18: Double-click the Fail authentication requests when Kerberos armoring is not available policy setting in the main pane.

Step 19: Select the Enabled option.

Step 20: Click on the OK button to save the setting.

Step 18: Close the Group Policy Management Editor window.

Step 19: Right-click the Domain Controllers organizational unit (OU) in the Group Policy Management window.

Step 20: Select the Link an Existing GPO… from the context menu.

Step 21: Select the previously created GPO from the Group Policy objects list in the Select GPO window.

Step 22: Click on the OK button to link the GPO.

Tags

Tags

    Ads Blocker Image Powered by Code Help Pro

    Ads Blocker Detected!!!

    This site depends on revenue from ad impressions to survive. If you find this site valuable, please consider disabling your ad blocker.