Microsoft Plans to Switch Off Kerberos PAC Validation Protocols by April 2025
Microsoft has officially begun the countdown to shutting down its Kerberos PAC Validation Protocols for Windows 10, Windows 11, and Windows Server. This change, initially delayed, is now moving into its enforcement phase, with the final shutdown scheduled for April 2025.
What Does This Mean for IT Administrators?
Kerberos PAC (Privilege Attribute Certificate) Validation Protocol plays a crucial role in managing central user authorizations for Kerberos authentication. However, two critical security vulnerabilities, CVE-2024-26248 and CVE-2024-29056, have been identified. These allow for network spoofing, prompting Microsoft to act. The new updates aim to address these vulnerabilities and strengthen security.
Starting April 2025, Windows updates will remove support for the legacy PACSignatureValidationLevel and CrossDomainPolicy settings. This will enforce new security configurations across all systems. Compatibility mode will no longer be supported, meaning administrators must ensure that both Windows domain controllers and clients are updated to the latest security standards.
Key Timeline for Implementing Changes
- Current Phase: Administrators can still adjust settings to return to compatibility mode.
- Enforcement Phase (April 2025): New security behaviors will become mandatory, with no option to revert to older models.
Microsoft’s Windows News Center advises: “Prepare yourself to fully activate the compulsory mode later this year!”
What About NTLM?
Microsoft is also phasing out NTLM (NT LAN Manager), starting with Windows 11 24H2 and Windows Server 2025. NTLMv1 will be completely removed in these versions, while NTLMv2 remains temporarily available. However, Microsoft has signaled that NTLMv2, and the entire NTLM family, will eventually be considered obsolete.
Why is NTLM Being Removed?
NTLM has been plagued by critical security vulnerabilities over the years, and even third-party solutions had to step in to fix some issues. By removing NTLM, Microsoft aims to reduce potential attack surfaces and strengthen overall security. Kerberos, known for its modern encryption methods and advanced features like delegation and mutual authentication, is being positioned as the preferred alternative.
What Are the Alternatives to NTLM?
Microsoft is developing two new Kerberos-based features:
- Iakerb (Initial and Pass-through Authentication Using Kerberos)
- Local KDC (Key Distribution Center)
Additionally, multi-factor authentication and the Negotiate Protocol, which prioritizes Kerberos, are recommended security options.
Impact on Older Windows Versions
For now, older versions of Windows will not be affected by NTLM’s removal. However, Microsoft is gradually phasing out support for NTLM, so users of older systems should plan to transition to modern authentication methods.
What About Windows Information Protection (WIP/EDP)?
Alongside NTLM’s removal, Microsoft is discontinuing Windows Information Protection (WIP), also known as Enterprise Data Protection (EDP), with the release of Windows 11 24H2. Organizations currently relying on WIP will need to explore alternative solutions. Microsoft is expected to announce new data protection technologies soon.
Preparing for the Change
The transition to the new security behaviors requires IT administrators to ensure their systems and applications are compatible with modern authentication standards. Staying ahead of these changes will safeguard businesses against potential threats and ensure compliance with Microsoft’s evolving security framework.
Do these changes pose challenges for your IT environment? Share your thoughts and experiences to help others navigate this transition!
