Q. What's strict KDC validation?

Jan De Clercq

December 17, 2010

2 Min Read
ITPro Today logo in a gray background | ITPro Today

Q. What's the goal of the strict KDC validation feature that Microsoft introduced in Windows Server 2008? Do you recommend enabling this feature in our AD environment where about half of the users authenticate using smart cards?

A. Strict KDC validation makes smart card logons in a Windows AD environment more secure and makes the authentication validation logic more resistant to certain attacks. If you have many smart card users, I strongly advise you to enable this feature.

Strict KDC validation isn't enabled by default. You can enable it using the Require strict KDC validation Group Policy Object (GPO) setting, which is located in the Computer ConfigurationAdministrative TemplatesSystemKerberos Policy GPO container. Strict KDC validation is only supported on Windows 7, Windows Server 2008, Windows Server 2008 R2, Windows Vista Service Pack 1 (SP1), and later OSs.

Strict KDC validation enables a more restrictive set of criteria that must be met by a Windows Kerberos Key Distribution Center (KDC) for successful smart card-based user authentication. The KDC is the Kerberos authentication service that's part of every Windows Active Directory domain controller (DC). A Windows client that has the strict KDC validation setting enabled will validate the certificate-based Kerberos authentication messages it gets from a DC by checking that all of the following conditions are met:

  • The DC has a private key that corresponds to the KDC certificate.

  • For domain joined-systems, the CA that issued the KDC certificate is contained in the AD NTAuth store.

  • For non-domain-joined systems, the root CA of the KDC certificate is either in the Third-Party Root Certification Authorities or in the Smart Card Trusted Roots containers of the Windows client's certificate store (accessible from the Certificates MMC snap-in).

  • The KDC certificate has the KDC Authentication entry in the Extended Key Usage (EKU) X.509 extension.

  • The KDC certificate's SubjectAltName (SAN) X.509 extension contains the domain's DNS (FQDN) and NetBIOS names.

  • The KDC certificate's DNSName field of the SubjectAltName (SAN) X.509 extension matches the domain's DNS name (FQDN).

When you plan to use strict KDC validation, it's important that all your DCs have a correct KDC server certificate that adheres to the three last conditions in the list above. You can create a valid DC certificate using the new certificate template Kerberos Authentication that Microsoft includes in Windows Server 2008. Certificates created from this template have the proper KDC EKU and SAN certificate extensions. The older Domain Controller and Domain Controller Authentication certificate templates don't contain the correct extensions and will fail the strict KDC validation checks.

More information on strict KDC validation can be found in the Microsoft document "Enabling Strict KDC Validation in Windows Kerberos."

About the Author

Jan De Clercq

Jan De Clercq

See more from Jan De Clercq
Sign up for the ITPro Today newsletter
Stay on top of the IT universe with commentary, news analysis, how-to's, and tips delivered to your inbox daily.
Newsletter Sign-Up

You May Also Like

Editor's Choice

a stressed employee at their laptop and collaboration icons gone amok
Unified Communications
Microsoft Teams Is Acting Up. What Can We Do?Microsoft Teams Is Acting Up. What Can We Do?
byBrien Posey
Sep 12, 2024
4 Min Read
person placing a block between two columns of blocks
IT Management
Data Skills Gap Is Hampering Productivity; Is Upskilling the Answer?Data Skills Gap Is Hampering Productivity; Is Upskilling the Answer?
byNathan Eddy
Sep 7, 2024
7 Min Read
data privacy quiz sample question above a desk
Data Privacy
Data Privacy Quiz: 20 Questions To Test Your KnowledgeData Privacy Quiz: 20 Questions To Test Your Knowledge
byIan Horowitz
Aug 30, 2024
1 Min Read
Exclusive ITPro Resources
See all ITPro Resources

Featured How Tos

tablet with "cloud computing" on the screen on top of financial documents and calculator
Cloud Computing
Guide to Cloud Computing ETFsGuide to Cloud Computing ETFs
A cartoon of a person sitting at a computer, with speech bubbles—one from the person saying Hello and one from the computer responding with Hello
PowerShell
PowerShell Speech Recognition: How To Set up Voice Commands and ResponsesPowerShell Speech Recognition: Set up Voice Commands and Responses
Migrating From VMware Guide cover
VMWare
Migrating From VMware: Guide to a Successful TransitionMigrating From VMware: Guide to a Successful Transition
Sign up for the ITPro Today newsletter
Stay on top of the IT universe with commentary, news analysis, how-to's, and tips delivered to your inbox daily.
Newsletter Sign-Up
Trending

Recent What Is

list of domains within the umbrella category of IT security
IT Security
What Is IT Security? Essentials of IT Security ExplainedWhat Is IT Security? Essentials of IT Security Explained
ITPro Today's tech careers quick reference guide cover
Career Management
Tech Careers: Quick Reference Guide to IT Job TitlesTech Careers: Quick Reference Guide to IT Job Titles