Q. What's the goal of the strict KDC validation feature that Microsoft introduced in Windows Server 2008? Do you recommend enabling this feature in our AD environment where about half of the users authenticate using smart cards?
A. Strict KDC validation makes smart card logons in a Windows AD environment more secure and makes the authentication validation logic more resistant to certain attacks. If you have many smart card users, I strongly advise you to enable this feature.
Strict KDC validation isn't enabled by default. You can enable it using the Require strict KDC validation Group Policy Object (GPO) setting, which is located in the Computer Configuration\Administrative Templates\System\Kerberos Policy GPO container. Strict KDC validation is only supported on Windows 7, Windows Server 2008, Windows Server 2008 R2, Windows Vista Service Pack 1 (SP1), and later OSs.
Strict KDC validation enables a more restrictive set of criteria that must be met by a Windows Kerberos Key Distribution Center (KDC) for successful smart card-based user authentication. The KDC is the Kerberos authentication service that's part of every Windows Active Directory domain controller (DC). A Windows client that has the strict KDC validation setting enabled will validate the certificate-based Kerberos authentication messages it gets from a DC by checking that all of the following conditions are met:
- The DC has a private key that corresponds to the KDC certificate.
- For domain joined-systems, the CA that issued the KDC certificate is contained in the AD NTAuth store.
- For non-domain-joined systems, the root CA of the KDC certificate is either in the Third-Party Root Certification Authorities or in the Smart Card Trusted Roots containers of the Windows client's certificate store (accessible from the Certificates MMC snap-in).
- The KDC certificate has the KDC Authentication entry in the Extended Key Usage (EKU) X.509 extension.
- The KDC certificate's SubjectAltName (SAN) X.509 extension contains the domain's DNS (FQDN) and NetBIOS names.
- The KDC certificate's DNSName field of the SubjectAltName (SAN) X.509 extension matches the domain's DNS name (FQDN).
When you plan to use strict KDC validation, it's important that all your DCs have a correct KDC server certificate that adheres to the three last conditions in the list above. You can create a valid DC certificate using the new certificate template Kerberos Authentication that Microsoft includes in Windows Server 2008. Certificates created from this template have the proper KDC EKU and SAN certificate extensions. The older Domain Controller and Domain Controller Authentication certificate templates don't contain the correct extensions and will fail the strict KDC validation checks.
More information on strict KDC validation can be found in the Microsoft document "Enabling Strict KDC Validation in Windows Kerberos."