Kerberos FAST (Armoring) : Strengthening Active Directory Authentication
27 October 2025Thank you for reading this post, don't forget to subscribe!
Kerberos FAST / Armoring — Understand Before Enabling
Kerberos lies at the heart of authentication in Active Directory.
It’s fast, robust, and everywhere, but some parts of the protocol remain exploitable — especially the pre-authentication phase.
To address these weaknesses, Microsoft introduced Kerberos Armoring, also known as FAST (Flexible Authentication Secure Tunneling), starting with Windows Server 2012 and Windows 8.
The goal is to strengthen the security of the Kerberos protocol, but enabling it should never be done blindly.
Before you turn on FAST, you need to understand how it works, the prerequisites, and above all, the compatibility risks.
What Kerberos Armoring Does
The principle is simple: Kerberos Armoring creates a secure tunnel between the client and the domain controller (KDC).
This tunnel protects the most sensitive phase of the protocol — pre-authentication.
Without FAST, an attacker intercepting Kerberos traffic can perform offline password-cracking attempts.
With FAST enabled, these exchanges are encrypted and encapsulated, making brute-force or dictionary attacks nearly impossible.
Kerberos Armoring also signs KDC error messages, preventing tampering attempts that could force weak re-authentication or fallback to NTLM.
It’s also a foundation for advanced scenarios like claims and compound authentication (user + machine), used in Dynamic Access Control or AD FS.
Prerequisites Before Enabling
Before enabling FAST, you must verify your environment’s compatibility.
This step should never be skipped.
All domain controllers must run Windows Server 2012 or newer.
The domain functional level must be at least Windows Server 2012.
Clients must run Windows 8, 10, 11 or Server 2012+.
Accounts must support AES-128 or AES-256 encryption.
And most importantly: you must know the current state of your Kerberos environment before changing anything.
That means identifying which algorithms are actually in use, which machines are outdated, and how clients behave when they don’t understand FAST.
Enabling Kerberos Armoring without preparation can break authentication on legacy workstations, printers, application servers, or even old domain controllers.
Pre-Deployment Audit
Before touching any GPO, it’s critical to perform a full audit.
The goal is simple: know what you’re dealing with.
Check Supported Encryption Types
Start by verifying the encryption types supported by user accounts:
1 | Get-ADUser -Filter * -Properties msDS-SupportedEncryptionTypes | Select-Object Name, msDS-SupportedEncryptionTypes |
For computers:
1 | Get-ADComputer -Filter * -Properties msDS-SupportedEncryptionTypes | Select-Object Name, msDS-SupportedEncryptionTypes |
If some accounts show null or low values, they’re still using RC4.
FAST only works correctly with AES.
Fix these accounts before continuing.
Enable Kerberos Auditing on Domain Controllers
Create a GPO for auditing and enable:
Computer Configuration > Policies > Windows Settings > Security Settings > Advanced Audit Policy Configuration > Kerberos Service.
Then monitor these event IDs:
4768 (TGT Request)
4769 (Service Ticket Request)
4770 (Ticket Renew)
4771 (Pre-authentication Failure)
These logs help you understand your current authentication flows, identify existing errors, and establish a baseline before and after enabling FAST.
Identify Legacy or Third-Party Systems
Older systems like Windows 7, unpatched Windows Server 2008 R2, certain NAS devices, or network printers don’t support FAST.
Locate them in your inventory, or they’ll be blocked the moment you enable strict mode.
Test on a Pilot Group
Create a test GPO with Supported mode and apply it to a small pilot group.
Observe the behavior of machines and accounts involved.
If everything authenticates normally, you can gradually expand deployment.
GPO Configuration — Domain Controllers (KDC)
Open GPMC.
Create or edit a GPO linked to the Domain Controllers OU.
Navigate to:
Computer Configuration > Policies > Administrative Templates > System > KDCOpen the setting:
KDC support for claims, compound authentication and Kerberos armoringSet it to Enabled and choose the appropriate mode:
Supported to start and validate compatibility
Always provide claims if claims are used throughout your environment
Fail unarmored authentication requests only when every system supports FAST
Force a policy update or wait for replication.
GPO Configuration — Client Computers (Kerberos)
Open GPMC.
Create or edit a GPO linked to workstations or member servers.
Navigate to:
Computer Configuration > Policies > Administrative Templates > System > KerberosOpen the setting:
Kerberos client support for claims, compound authentication and Kerberos armoringSet it to Enabled and choose:
Supported for pilot phase
Fail unarmored only after full validation
Verify that AES encryption types are allowed on clients (avoid RC4).
Force a policy update or wait for replication.
Post-Activation Verification
On the Client Side
On a domain-joined workstation, run:
1 2 | klist get krbtgt klist tickets |
Tickets should now appear as “armored.”
If FAST is working, Kerberos exchanges are encrypted through the secure tunnel.
On the Domain Controller
Open Event Viewer and check the Kerberos and KDC logs.
Look for entries mentioning FAST or new authentication errors (like 4771 if a system doesn’t support FAST).
Compare the frequency of failures before and after enabling.
If everything remains stable, you can safely move to strict mode (“Fail unarmored”).
Strengths
Kerberos Armoring significantly strengthens pre-authentication security.
Sensitive exchanges are encrypted, KDC error messages are signed, and fallback to NTLM is blocked.
It’s also a foundation for modern environments using claims and dynamic access control.
The “Supported” mode allows a gradual deployment with minimal risk.
Weaknesses
FAST adds a slight cryptographic load on domain controllers and clients.
In mixed environments (old DCs, outdated clients, third-party appliances), authentication failures may appear.
Some non-compliant applications might silently fail if they don’t handle armored tickets.
Risks and Field Experience
In some environments, enabling “Fail unarmored” too quickly caused authentication outages for older servers (2008 R2) still in production.
In other cases, AD FS services broke due to claims/armoring misconfigurations.
In practice, always begin with Supported, monitor logs for several days, then move to strict mode once the park is validated.
Post-Deployment Audit
Re-run the same checks you did before deployment.klist should confirm that tickets are armored.
Event IDs 4768 and 4771 should remain stable with no sudden increase.
If you notice new failures, identify affected hosts or applications before tightening policies.
Also test your key applications (RDP, IIS, SMB, AD FS, LDAP, etc.) to ensure normal authentication behavior.
Key Takeaways
Kerberos FAST is a crucial evolution for securing Active Directory authentication.
Properly configured, it strengthens confidentiality without changing user experience.
But it must be deployed carefully.
Before enabling:
Perform a complete audit of accounts and machines.
Start in “Supported” mode.
Monitor logs for several days.
Only then, move to “Fail unarmored.”
Misconfigured, FAST can block an entire domain.
Deployed properly, it becomes a true shield for your infrastructure.
Sources and References
Microsoft Documentation – Kerberos Armoring (FAST)
Microsoft Learn – AD FS Compound Authentication and AD DS Claims
Trimarc Security – Understanding the need for Kerberos Armoring (FAST)
Related articles
NTLM Migration to Kerberos
Active Directory Forest Recovery Plan (3-2-1 Compliance)
Views: 4
