By default the KDC requires all accounts to use preauthentication. This makes offline password-guessing attacks very difficult. However, preauthentication can be disabled for individual accounts when this is necessary for compatibility with other implementations of the protocol. To disable preauthentication, right-click the User object in Active Directory Users and Computers. Click Properties , and then click the Account tab. In the Account options list, check Do not require Kerberos preauthentication .