I am a bit concerned about the Windows November 2022 patches that introduced signing of the PAC-Field in Kerberostickets.
- There is a RegKey(“KrbtgtFullPacSignature”) that, if set to auditmode, accept and log all unsigned tickets. Since January, we have enabled this key on all of our DCs, but nothing is logged on our DCs, even though we have some Server 2008 and Windows 7 systems, which should not be able to sign this field.
- If I understand that timeline of Microsoft correctly (Source), those old unpatched Clients won’t be able to authenticate when the Enforcement-Mode is enabled on October 2023. However, I haven’t heard any worries about incompatible clients or systems within various IT-newspages. Am I the only one that is worried that our systems might be affected?
- Manufacturers of devices like NAS don’t publish about this upcoming issue or release a firmware which implements tis new changes in the Kerberos protocol.
Am I worried too much about this? How do you deal with this topic?
