PACVerification
This article is intended to provide ways to improve performance for communication where the Kerberos protocol is being used.
Most Nodinite products can benefit from Disabling PAC verification. All services like BizTalk Server, SQL Server and so on may get slightly better performance.
One can argue that doing so may compromise security, however, we are under the impression that changing this value only boosts the performance, it does not fix or make your Windows more or less secure.
Please review the following articles to get your attention on this matter:
Beginning with Windows Server 2003 SP2, you can turn off PAC verification for services. To do this, add the ValidateKdcPacSignature registry entry to the following registry subkey:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Parameters
ValidateKdcPacSignature DWORD | Description | Comment |
---|---|---|
0 | Disabled | Default for Windows 2008 |
1 | Enabled | Default for other OS Versions |
Note
You must restart the Windows Server if you change this value.
Important
Changing registry values is always risky, and you must ALWAYS comply with the policies that exist within your organization.
CHANGE AT YOUR OWN RISK