A whole new security feature in Active Directory Domain Services in Windows Server 2012 listens to the name Flexible Authentication Secure Tunneling (FAST). This new features solves common security problems with Kerberos and also makes sure clients do not fall back to less secure legacy protocols or weaker cryptographic methods.
Note:
Sometimes, this feature is referred to as Kerberos Armoring, but Flexible Authentication Secure Tunneling (FAST) is it’s official name defined by the April 2011 RFC 6113.
What’s New
Flexible Authentication Secure Tunneling (FAST) is part of the framework for Kerberos Pre-authentication. FAST provides a protected channel between the client and the Key Distribution Center (KDC), and it can optionally deliver key material used to strengthen the reply key within the protected channel. With FAST in place, it is relatively straightforward to chain multiple authentication mechanisms, utilize a different key management system, or support a new key agreement algorithm.
With FAST enabled and required, brute forcing the reply key is no longer possible and the highest possible cryptographic protocols and cipher strengths are guaranteed to be used by Windows 8 clients in their pre-authentication traffic with Windows Server 2012 Domain Controllers.
When FAST is required, this enables the Compound Authentication functionality in Dynamic Access Control (DAC), allowing authorization based on the combination of both user claims and device claims.
Enabling FAST
Enabling Flexible Authentication Secure Tunneling (FAST) can be achieved through Group Policy once you fulfill the requirements. (see below)
The Group Policy you need for this is located in Computer Configuration, Administrative Templates, System, KDC and is named KDC support for claims, compound authentication and Kerberos armoring:
This Group Policy supports four possible settings after you enable it:
- Supported
- Not supported
- Always provide claims
- Fail unarmored authentication requests
When you choose the ‘Supported’ setting and link the Group Policy to the Domain Controllers Organizational Unit (OU), it’s time to enable Flexible Authentication Secure Tunneling (FAST) on the Windows 8 clients.
Point your Group Policy Management Console (GPMC), assign a Group Policy object to the Organization Unit(s) containing your domain-joined Windows 8 computers. Open the Group Policy object and navigate to Computer Configuration, Administrative Templates, System, Kerberos. Here, enable the Kerberos client support for claims, compound authentication and Kerberos armoring Group Policy:
You will have Flexible Authentication Secure Tunneling (FAST) on your network between domain-joined Windows 8 clients and Windows Server 2012-based Domain Controllers after the next Group Policy refresh cycle.
Requiring FAST
Requiring Flexible Authentication Secure Tunneling is the next step. You will still use the Group Policy Management Console (GPMC) as your tool of choice, because a couple more Group Policies need to be configured.
Assign a Group Policy object to the Domain Controllers Organizational Unit (OU) and within the Group Policy object, again, navigate to Computer Configuration, Administrative Templates, System, Kerberos. Here, enable the Fail authentication requests when Kerberos armoring is not available Group Policy.
Lastly, the above mentioned Group Policy KDC support for claims, compound authentication and Kerberos armoring, located in Computer Configuration, Administrative Templates, System, KDC needs to be configured with the Fail unarmored authentication requests setting.
Requirements
Flexible Authentication Secure Tunneling can be enabled in an Active Directory environment when:
- Sufficient Domain Controllers are running Windows Server 2012, with sufficient processing power (to additionally encrypt Kerberos messages and sign Kerberos errors on top of the baseline processing power needs) and networking connectivity (to handle the additional message exchange and increased Kerberos services tickets on top of the baseline networking connectivity needs).
Note:
When FAST is enabled Windows 8 clients will only communicate with Windows Server 2012 Domain Controllers. This might create a pile-on effect. Therefore, ensure you have sufficient Domain Controllers to prevent authentication traffic passing Active Directory site links.
- The environment no longer contains domain controllers running Windows Server 2003. Supported Domain Controller Operating Systems include Windows Server 2008, Windows Server 2008 R2 and Windows Server 2012.
- Clients need to be running Windows 8
Flexible Authentication Secure Tunneling can be required in an Active Directory environment when:
- All Domain Controllers in domains the client uses are running Windows Server 2012
(including transited referral domains) - All domains the client uses are running the Windows Server 2012 Domain Functional Level (DFL).
- Clients need to be running Windows 8
Concluding
Flexible Authentication Secure Tunneling (FAST) solves a couple of security issues in real-world Kerberos environments. Also, it is the basis for Compound authentication in Dynamic Access Control, a new feature in Active Directory Domain Services coming up soon!
Further reading
What's New in Kerberos Authentication
What is Flexible Authentication Secure Tunnel (FAST) in Windows Server 2012
Windows Server 8 : Kerberos Armoring untuk Domain Controller
Upgrade Domain Controllers to Windows Server 2012
Hi there,
And thanks for the post.
You write, that Kerberos Armoring and FAST are the same thing.
But on http://technet.microsoft.com/en-us/library/hh831747.aspx it seems to make a distinction.
In the table, that lists the four configurations, that are available in "KDC support for claims, compound authentication, and Kerberos armoring", it says that:
If set to "Supported": "Kerberos armoring supported"
If set to "Always provide claims": "Kerberos armoring supported and Flexible Authentication via Secure Tunneling (RFC FAST) behavior supported"
Is there a difference?
Thank you for your question.
There is a difference.
EAP-FAST is the authentication method described in RFC 4581.
Kerberos Armoring is Microsofts implementation of this standard.
To help admins adopt the security advantages of Kerberos Armoring, Microsoft allows for three distinct types of implementations:
Only the third implementation adheres to the way EAP-FAST is described in RFC 4581. Technically, only the third way of implementing Kerberos Armoring may be labeled FAST.
Is it correct to say that, during the KRB_AS_REQ, the client's authenticator is encrypted using the logon user's longterm key as derived from his password, then this entire message is then encrypted using the logon computer's longterm key?
Great post, thanks! Should the "fail authentication requests when Kerberos armoring is not available" be applied to the domain controllers OU or the win8+ client machine and member server's OUs? Your article mentions it should be applied to the domain controllers OU. However, the following article from Microsoft implies that it controls the behavior of Win8+ clients: https://technet.microsoft.com/en-us/library/hh831747(v=ws.11).aspx. Specifically, this portion: "When this policy setting is enabled, a device running Windows 8 only allows the authentication service exchange to be unarmored and fail authentication when a domain does not support Kerberos armoring, or when a domain controller running Windows Server 2012 cannot be found for a domain that supports Kerberos armoring."