Search This Blog

Showing posts with label kerberos armoring. Show all posts
Showing posts with label kerberos armoring. Show all posts

Sep 16, 2022

What's Kerberos Armoring (FAST)

Kerberos Armoring (FAST) described in a sentence:

It provides more secure channel by using TGT session key that the device shares with DC to encrypt/sign subsequent (user) Kerberos pre-auth data 

This also prevents attacker from forcing Kerberos authentication to fall back to NTLM (by preventing attacker from spoofing Kerberos error (because now legit errors are signed with the session key))

FAST is required for Compound Authentication and Dynamic Control Access.


BTW, DCA is a different set of authorization method (claim-based) than traditional DACL. This is possible because AD embeds claims in Kerberos ticket when DCA is enabled. Prior to this, a resource partner can only read SIDs out of Kerberos ticket. Without DCA, if you want to use claims, you have to install ADFS.

Of course, claim support within Kerberos is very basic and limited and mainly for DCA. For any other claim-aware app support, a full ADFS is called for.