The PKINIT implementation in Microsoft Windows is susceptible to a man in the middle vulnerability. This issue affects Microsoft Systems Windows XP to Windows Server 2003 editions and is due to a failure of the software to properly validate network data. This issue is only exploitable by attackers that have access to valid logon credentials. Attackers exploit this issue to spoof the domain controller/KDC during the initial authentication process.
The recommendations are to block external access at the network boundary, unless external parties require service. Also, to allow only trusted hosts and networks to connect to affected Kerberos servers. TCP and UDP port 88 should be filtered at the network boundary.