Event details
PAC Validation - No Kerberos Errors in Mixed Environment (CVE-2024-26248 & CVE-2024-29056)
According to the security updates described in CVE-2024-26248 and CVE-2024-29056: Managing PAC Validation Changes, after installing the April 2025 Windows security updates, support for Compatibility Mode will be removed, and strict PAC validation will be enforced.
From what I understand, in a mixed environment where domain controllers are not yet updated, but some Windows clients and member servers are updated, Kerberos authentication issues should occur, due to the mismatch in PAC validation behavior.
However, in our environment, we haven’t seen any authentication failures so far — everything continues to work normally.
Can someone please help me understand why no errors are occurring yet? Is Compatibility Mode still somehow active on updated clients or servers? Or is there an enforcement delay that needs to be manually triggered?
Thank you!
MicrosoftHi ioanpapita,
The Enterprise Guidance for PAC Validation is published here: How to manage PAC Validation changes related to CVE-2024-26248 and CVE-2024-29056 - Microsoft Support. Please note that after the January 2025 update, all Windows domain controllers and clients were moved to Enforced mode. If you had existing registry keys on your DCs to override the enforced behavior, that override would stay in effect until the April 2025 update. After the April 2025 update, the registry keys won’t override the enforced behavior. As to why no errors are occurring – that would indicate that you don’t have any cross-forest filtering failures in your environment (which is a good thing).