Welcome to Dirteam.com/ActiveDir.org Blogs Sign in | Join | Help

The things that are better left unspoken

a blog by Sander Berkouwer

Related

AD Manager Plus
 

Blog roll

News



Archives

New features in Active Directory Domain Services in Windows Server 2012, Part 11: Kerberos Armoring (FAST)

A whole new security feature in Active Directory Domain Services in Windows Server 2012 listens to the name Flexible Authentication Secure Tunneling (FAST). This new features solves common security problems with Kerberos and also makes sure clients do not fall back to less secure legacy protocols or weaker cryptographic methods.

Note:
Sometimes, this feature is referred to as Kerberos Armoring, but Flexible Authentication Secure Tunneling (FAST) is it’s official name defined by the April 2011 RFC 6113.

    

What’s New

Flexible Authentication Secure Tunneling (FAST) is part of the framework for Kerberos Pre-authentication. FAST provides a protected channel between the client and the Key Distribution Center (KDC), and it can optionally deliver key material used to strengthen the reply key within the protected channel. With FAST in place, it is relatively straightforward to chain multiple authentication mechanisms, utilize a different key management system, or support a new key agreement algorithm.

With FAST enabled and required, brute forcing the reply key is no longer possible and the highest possible cryptographic protocols and cipher strengths are guaranteed to be used by Windows 8 clients in their pre-authentication traffic with Windows Server 2012 Domain Controllers.

When FAST is required, this enables the Compound Authentication functionality in Dynamic Access Control (DAC), allowing authorization based on the combination of both user claims and device claims.

  

Enabling FAST

Enabling Flexible Authentication Secure Tunneling (FAST) can be achieved through Group Policy once you fulfill the requirements. (see below)

The Group Policy you need for this is located in Computer Configuration, Administrative Templates, System, KDC and is named KDC support for claims, compound authentication and Kerberos armoring:

Enabling Kerberos Armoring in Group Policy (click for larger screenshot)

This Group Policy supports four possible settings after you enable it:

  • Supported
  • Not supported
  • Always provide claims
  • Fail unarmored authentication requests

When you choose the ‘Supported’ setting and link the Group Policy to the Domain Controllers Organizational Unit (OU), it’s time to enable Flexible Authentication Secure Tunneling (FAST) on the Windows 8 clients.

Point your Group Policy Management Console (GPMC), assign a Group Policy object to the Organization Unit(s) containing your domain-joined Windows 8 computers. Open the Group Policy object and navigate to Computer Configuration, Administrative Templates, System, Kerberos. Here, enable the Kerberos client support for claims, compound authentication and Kerberos armoring Group Policy:

KerberosArmoringPolicies2

You will have Flexible Authentication Secure Tunneling (FAST) on your network between domain-joined Windows 8 clients and Windows Server 2012-based Domain Controllers after the next Group Policy refresh cycle.

    

Requiring FAST

Requiring Flexible Authentication Secure Tunneling is the next step. You will still use the Group Policy Management Console (GPMC) as your tool of choice, because a couple more Group Policies need to be configured.

Assign a Group Policy object to the Domain Controllers Organizational Unit (OU) and within the Group Policy object, again, navigate to Computer Configuration, Administrative Templates, System, Kerberos. Here, enable the Fail authentication requests when Kerberos armoring is not available Group Policy.

Fail authentication requests when Kerberos armoring is not available in Group Policy (click for larger screenshot 

Lastly, the above mentioned Group Policy KDC support for claims, compound authentication and Kerberos armoring, located in Computer Configuration, Administrative Templates, System, KDC needs to be configured with the Fail unarmored authentication requests setting.

     

Requirements

Flexible Authentication Secure Tunneling can be enabled in an Active Directory environment when:

  • Sufficient Domain Controllers are running Windows Server 2012, with sufficient processing power (to additionally encrypt Kerberos messages and sign Kerberos errors on top of the baseline processing power needs) and networking connectivity (to handle the additional message exchange and increased Kerberos services tickets on top of the baseline networking connectivity needs).
       
    Note:
    When FAST is enabled Windows 8 clients will only communicate with Windows Server 2012 Domain Controllers. This might create a pile-on effect. Therefore, ensure you have sufficient Domain Controllers to prevent authentication traffic passing Active Directory site links.
      
  • The environment no longer contains domain controllers running Windows Server 2003. Supported Domain Controller Operating Systems include Windows Server 2008, Windows Server 2008 R2 and Windows Server 2012.
  • Clients need to be running Windows 8

Flexible Authentication Secure Tunneling can be required in an Active Directory environment when:

  • All Domain Controllers in domains the client uses are running Windows Server 2012
    (including transited referral domains)
  • All domains the client uses are running the Windows Server 2012 Domain Functional Level (DFL).
  • Clients need to be running Windows 8

   

Concluding

Flexible Authentication Secure Tunneling (FAST) solves a couple of security issues in real-world Kerberos environments. Also, it is the basis for Compound authentication in Dynamic Access Control, a new feature in Active Directory Domain Services coming up soon!

Further reading

What's New in Kerberos Authentication   
What is Flexible Authentication Secure Tunnel (FAST) in Windows Server 2012 
Windows Server 8 : Kerberos Armoring untuk Domain Controller 
Upgrade Domain Controllers to Windows Server 2012

Posted: Wednesday, September 05, 2012 5:02 PM by Sander Berkouwer

Comments

The things that are better left unspoken said:

Claims within Dynamic Access Control can be based on any attribute of a user account, Claims can also be based on attributes for computer accounts, but this requires Kerberos Armoring (FAST). When user claims and device claims are combined, this forms the Compound Identity (Compound ID).
# September 24, 2012 8:30 AM

MartinJ said:

Hi there,

And thanks for the post.

You write, that Kerberos Armoring and FAST are the same thing.

But on http://technet.microsoft.com/en-us/library/hh831747.aspx it seems to make a distinction.

In the table, that lists the four configurations, that are available in "KDC support for claims, compound authentication, and Kerberos armoring", it says that:

If set to "Supported": "Kerberos armoring supported"

If set to "Always provide claims": "Kerberos armoring supported and Flexible Authentication via Secure Tunneling (RFC FAST) behavior supported"

Is there a difference?

# March 5, 2014 3:25 PM

Sander Berkouwer said:

Thank you for your question.

There is a difference.

EAP-FAST is the authentication method described in RFC 4581.
Kerberos Armoring is Microsofts implementation of this standard.

To help admins adopt the security advantages of Kerberos Armoring, Microsoft allows for three distinct types of implementations:

  • Supported
  • Always provide claims
  • Fail unarmored authentication requests

Only the third implementation adheres to the way EAP-FAST is described in RFC 4581. Technically, only the third way of implementing Kerberos Armoring may be labeled FAST.

# March 9, 2014 11:14 AM
Anonymous comments are disabled