Microsoft to Disable Legacy Kerberos PAC Validation by April 2025

Microsoft has announced a significant change on the cybersecurity front: by April 2025, the company will disable legacy Kerberos PAC validation protocols for Windows 10, Windows 11, and Windows Server. This move is a part of Microsoft's continuous evolution toward more modern, secure authentication methods and comes in response to critical security vulnerabilities.
In this article, we dive into the details of this update, explore the technical background of Kerberos authentication, examine the impact on IT administrators, and offer insights on how to prepare for these changes.

---

Understanding the Kerberos PAC and Its Role​

At the heart of this change lies Kerberos, a staple in network security for decades. Kerberos is a trusted third-party authentication protocol that uses secret-key cryptography to verify user identities in a networked environment. Central to this process is the Privilege Attribute Certificate (PAC), which carries user authorization details such as group memberships and privileges.
For many organizations, the PAC has been a reliable element of Kerberos authentication. However, vulnerabilities like CVE-2024-26248 and CVE-2024-29056 have exposed risks by allowing potential network spoofing attacks. These security gaps have convinced Microsoft to set a firm timeline for deprecating legacy PAC validation protocols and pushing the adoption of stricter security standards.

---

Key Vulnerabilities and Security Enhancements​

The discovery of the two vulnerabilities has prompted a major security rethink:

• CVE-2024-26248 and CVE-2024-29056: These security flaws enable malicious actors to spoof network identities, potentially bypassing existing authentication measures.
• Mandatory Security Update: With the enforcement phase starting in April 2025, Windows updates will remove support for outdated settings such as PACSignatureValidationLevel and CrossDomainPolicy. This means legacy compatibility modes will no longer be an option, pushing all Windows domain controllers and clients to operate under newer, enhanced security protocols.

The overall focus is on ensuring that modern encryption practices, mutual authentication, and other advanced capabilities provided by Kerberos are fully leveraged, thereby reducing the attack surface significantly.

---

The NTLM Phase-Out: A Shift Toward Modern Authentication​

Alongside the Kerberos update, Microsoft is also accelerating the phase-out of NTLM, especially with its vulnerabilities becoming too significant to overlook:

• Transition Away from NTLM: Starting with Windows 11 24H2 and Windows Server 2025, NTLM (NT LAN Manager) – particularly NTLMv1 – will be completely phased out. NTLMv2 remains available temporarily, but the roadmap indicates that even these legacy protocols will eventually be regarded as obsolete.
• Why Move Away from NTLM? NTLM has long been criticized for its security weaknesses. By reducing reliance on NTLM, Microsoft aims to minimize potential intrusion points and enforce a security ecosystem anchored on modern, robust Kerberos standards.

To ease the transition, Microsoft is developing two new Kerberos-based features:

• Iakerb (Initial and Pass-through Authentication Using Kerberos): Aimed at providing seamless initial authentication.
• Local KDC (Key Distribution Center): Designed to streamline the authentication process within localized environments.

These changes underscore a broader industry shift toward replacing older, vulnerable protocols with more secure, efficient alternatives.

---

Key Timeline and Impact on IT Administrators​

Here’s what IT administrators need to note about the upcoming changes:

• Current Phase: Until April 2025, administrators can still adjust system settings to maintain compatibility with the legacy mode.
• Enforcement Phase (April 2025): From this point on, the new security protocols will be enforced with no option to revert to older configurations.
• Impact on Domain Controllers and Clients: All Windows domain controllers and their associated clients will need to be updated to meet these new security requirements. This will involve ensuring that systems and applications support the modern authentication standards.

Additionally, Windows Information Protection (WIP/EDP) is also being phased out alongside NTLM with the introduction of Windows 11 24H2. Organizations currently relying on WIP will need to start planning for alternative data protection solutions.

---

Preparing for the Transition: Best Practices​

For IT professionals wondering how to navigate these changes, here are some actionable steps:

• Audit Your Environment: Identify devices and systems that may still be running legacy authentication methods. Focus on both domain controllers and client machines.
• Apply Latest Updates: Ensure that your Windows 10, Windows 11, and Windows Server environments are updated to support the new security standards. Monitor Microsoft’s update channels closely.
• Plan for NTLM Migration: Start phasing out any reliance on NTLM. Evaluate your current authentication mechanisms and begin transitioning to Kerberos-based methods as soon as possible.
• Test Compatibility: Before the enforcement phase in April 2025, it’s crucial to test your applications in a controlled environment to verify that they work seamlessly with the new settings.
• Explore New Data Protection Options: For organizations using Windows Information Protection, research and test alternative solutions in anticipation of its discontinuation.

---

Broader Implications for Windows Security​

This shift away from legacy protocols is more than just a patch; it represents Microsoft’s commitment to modernizing the security landscape. By mandating stricter security protocols and phasing out outdated authentication methods, Microsoft is encouraging IT administrators and organizations to adopt a more proactive security posture.
This move also aligns with broader trends in cybersecurity, where rapid evolution in threat landscapes demands constant improvements in defense mechanisms. Whether it’s multi-factor authentication, reduced reliance on vulnerable legacy protocols, or the adoption of new Kerberos-based features, the overarching objective is to create a more resilient, secure, and efficient Windows environment.

---

Conclusion: A Call to Action for IT Administrators​

As the countdown begins for the shutdown of legacy Kerberos PAC validation protocols, IT administrators and Windows users alike must prepare for a significant security overhaul. The enforced changes by April 2025 will not only enhance protection against network spoofing attacks but also set the stage for a future in which modern authentication methods take precedence.
Have you started planning your transition yet? What challenges do you foresee in updating your environment to meet these new requirements? Share your thoughts and experiences with the community here on WindowsForum.com as we navigate this transformation together.
Stay safe, stay updated, and let’s embrace the future of secure Windows environments!

---

Source: Research Snipers Microsoft Plans to Switch Off Kerberos PAC Validation Protocols by April 2025 – Research Snipers