{"id":37718,"date":"2025-04-11T13:38:25","date_gmt":"2025-04-11T11:38:25","guid":{"rendered":"http:\/\/159.69.82.204\/win\/?p=37718"},"modified":"2025-04-11T13:38:25","modified_gmt":"2025-04-11T11:38:25","slug":"windows-kerberos-pac-validation-protocol-in-enforcement-mode-since-april-8-2025","status":"publish","type":"post","link":"https:\/\/borncity.com\/win\/2025\/04\/11\/windows-kerberos-pac-validation-protocol-in-enforcement-mode-since-april-8-2025\/","title":{"rendered":"Windows: Kerberos PAC Validation Protocol in enforcement mode since April 8, 2025"},"content":{"rendered":"<p><img decoding=\"async\" style=\"margin: 0px 10px 0px 0px; display: inline; float: left;\" title=\"Windows\" src=\"https:\/\/www.borncity.com\/blog\/wp-content\/uploads\/2021\/04\/Windows-klein.jpg\" alt=\"Windows\" width=\"200\" align=\"left\" \/>[<a href=\"https:\/\/www.borncity.com\/blog\/2025\/04\/11\/windows-kerberos-pac-validation-protocol-seit-8-april-2025-abgeschaltet\/\" target=\"_blank\" rel=\"noopener\">German<\/a>]Quick reminder for administrators, in case anyone hasn't noticed. On the April 2025 patchday (8.4.2025), the \"enforcement phase\" for the hardening of the Kerberos protocol regarding the Kerberos PAC Validation Protocol came into force. This removed certain modes that could still be activated via registry.<\/p>\n<p><!--more--><\/p>\n<p><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/vg08.met.vgwort.de\/na\/e1227228f3db4f5ba9ee663f0bc5a39d\" alt=\"\" width=\"1\" height=\"1\" \/>Microsoft had already taken the hardening of Windows clients and servers for the Kerberos protocol seriously in February 2025. As part of the timetable for gradual hardening, the \"Enforcement Phase\" (<a href=\"https:\/\/support.microsoft.com\/topic\/6e661d4f-799a-4217-b948-be0a1943fef1\" target=\"_blank\" rel=\"noopener\" data-bi-type=\"anchor\">KB5037754<\/a>) for the Kerberos PAC Validation Protocol came into force on April 8, 2025.<\/p>\n<blockquote><p>The Privilege Attribute Certificate (PAC) is an extension of the Kerberos service tickets. It contains information about the authenticating user and their authorizations.<\/p><\/blockquote>\n<p>The Windows security updates that will be released in April 2025 or later will enforce the new security behavior. To do this, the updates remove support for the <em>PacSignatureValidationLevel<\/em> and <em>CrossDomainFilteringLevel<\/em> registry subkeys. After installing the April 8, 2025 update, there will no longer be support for compatibility mode.<\/p>\n<p>If you are still using Windows XP systems in an AD environment, you should read the comments in my German article <a href=\"https:\/\/www.borncity.com\/blog\/2024\/10\/30\/kerberos-pac-schwachstellen-kommt-das-ende-fuer-windows-xp-im-april-2025\/\">Kerberos PAC-Schwachstellen: Kommt das Ende f\u00fcr Windows XP im April 2025?<\/a>.<\/p>\n<p><strong>Similar articles<\/strong><br \/>\n<a href=\"https:\/\/borncity.com\/win\/2025\/02\/22\/windows-10-11-and-server-hardening-timeline-for-2025-and-beyond\/\" rel=\"bookmark\">Windows 10\/11 and Server hardening: Timeline for 2025 and beyond<\/a><br \/>\n<a href=\"https:\/\/borncity.com\/win\/2025\/04\/09\/patchday-windows-server-updates-8-april-2025\/\" rel=\"bookmark\">Patchday: Windows Server-Updates (April 8, 2025)<\/a><br \/>\n<a href=\"https:\/\/www.borncity.com\/blog\/2024\/10\/30\/kerberos-pac-schwachstellen-kommt-das-ende-fuer-windows-xp-im-april-2025\/\" target=\"_blank\" rel=\"bookmark noopener\">Kerberos PAC-Schwachstellen: Kommt das Ende f\u00fcr Windows XP im April 2025?<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>[German]Quick reminder for administrators, in case anyone hasn't noticed. On the April 2025 patchday (8.4.2025), the \"enforcement phase\" for the hardening of the Kerberos protocol regarding the Kerberos PAC Validation Protocol came into force. This removed certain modes that could &hellip; <a href=\"https:\/\/borncity.com\/win\/2025\/04\/11\/windows-kerberos-pac-validation-protocol-in-enforcement-mode-since-april-8-2025\/\">Continue reading <span class=\"meta-nav\">&rarr;<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[580,22,2],"tags":[69,195,194],"class_list":["post-37718","post","type-post","status-publish","format-standard","hentry","category-security","category-update","category-windows","tag-security","tag-update","tag-windows"],"_links":{"self":[{"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/posts\/37718","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/comments?post=37718"}],"version-history":[{"count":1,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/posts\/37718\/revisions"}],"predecessor-version":[{"id":37719,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/posts\/37718\/revisions\/37719"}],"wp:attachment":[{"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/media?parent=37718"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/categories?post=37718"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/tags?post=37718"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}