Kerberos has FAST for truly addressing the offline dictionary attack issues with PA-ENC-TIMESTAMP. FAST is basically tunneling, encrypting using some other ticket. With PKINIT w/ anonymous client's it's pretty easy to get this to be good enough, but Windows / AD doesn't support that, so instead you have to use a computer account to get the outer FAST tunnel's ticket, which works if you're joined to the domain, and doesn't work otherwise.

There's also work on a PAKE (zero-knowledge password proof protocol) which also solves the problem. Unfortunately the folks who worked on that did not also add an asymmetric PAKE, so the KDC still stores password equivalents :(

> Rotating the KDC/krbtgt credential is also still a nightmare.

I've done a bunch of work in Heimdal to make key rotation not a nightmare. But yeah, AD needs to copy that. I think the RedHat FreeIPA people are working on similar ideas.

> That's a nice dream, but in reality 20 years from know there will still be domain controllers on enterprise networks.

SSPI and Kerberos are super entrenched in the Windows architecture. IMO MSFT should build an SSP that uses JWTs over TLS, using PKI for server auth and JWT for client auth, using Kerberos principal names as claims in the JWTs and using the PKINIT SAN in server certs to keep all the naming backwards compatible. To get at the "PAC" they should just have servers turn around and ask a nearby DC via NETLOGON.