Microsoft says that “Disabling Kerberos Pre-Authentication must not be disabled“. They argue that:
Without Kerberos Pre-Authentication a malicious attacker can directly send a dummy request for authentication. The KDC will return an encrypted TGT and the attacker can brute force it offline. Upon checking the KDC logs, nothing will be seen except a single request for a TGT.
I don’t believe that pre-authentication adds any level of security as you can read in this nice article (section 3.1).
If an attacker is able to capture the preauthentication packets and wants to take the identity of a valid user, the attacker will need to perform the procedures that the KDC performs. The attacker will need to use the decryption procedure in the agreed upon encryption type and try running different passwords against the captured data. If it is successful then the attacker has the user’s password. The time required for this procedure is a function of the complexity of the password and the time it takes to decrypt a single password
So, if you decide to do it, you may act only on Your own behalf and on Your sole responsibility 😀 .