PACVerification
This article is intended to provide ways to improve performance for communication where the Kerberos protocol is being used.
Most Nodinite products can benefit from Disabling PAC verification. All services like BizTalk Server, SQL Server and so on may get slightly better performance.
One can argue that doing so may compromise security, however, we are under the impression that changing this value only boosts the performance, it does not fix or make your Windows more or less secure.
Please review the following articles to get your attention on this matter:
- Disabling PAC Verification does not make your Windows Server Less secure
- PAC Structure
- PAC Verification
Beginning with Windows Server 2003 SP2, you can turn off PAC verification for services. To do this, add the ValidateKdcPacSignature registry entry to the following registry subkey:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Parameters
| ValidateKdcPacSignature DWORD | Description | Comment |
|---|---|---|
| 0 | Disabled | Default for Windows 2008 |
| 1 | Enabled | Default for other OS Versions |
You must restart the Windows Server if you change this value
CHANGE AT YOUR OWN RISK