diff --git a/auth/credentials/credentials.h b/auth/credentials/credentials.h
index c3a048ecc8d..3ad40267e2e 100644
--- a/auth/credentials/credentials.h
+++ b/auth/credentials/credentials.h
@@ -351,4 +351,16 @@ int cli_credentials_get_aes256_key(struct cli_credentials *cred,
 				   const char *salt,
 				   DATA_BLOB *aes_256);
 
+/**
+ * Kerberos FAST handling
+ */
+
+NTSTATUS cli_credentials_set_krb5_fast_armor_credentials(struct cli_credentials *creds,
+							 struct cli_credentials *armor_creds,
+							 bool require_fast_armor);
+
+struct cli_credentials *cli_credentials_get_krb5_fast_armor_credentials(struct cli_credentials *creds);
+
+bool cli_credentials_get_krb5_require_fast_armor(struct cli_credentials *creds);
+
 #endif /* __CREDENTIALS_H__ */
diff --git a/auth/credentials/credentials_internal.h b/auth/credentials/credentials_internal.h
index 966926919b0..cda361e1dd0 100644
--- a/auth/credentials/credentials_internal.h
+++ b/auth/credentials/credentials_internal.h
@@ -131,6 +131,12 @@ struct cli_credentials {
 	enum smb_signing_setting ipc_signing_state;
 
 	enum smb_encryption_setting encryption_state;
+
+	/* Credentials to use for FAST */
+	struct cli_credentials *krb5_fast_armor_credentials;
+
+	/* Should we require FAST? */
+	bool krb5_require_fast_armor;
 };
 
 #endif /* __CREDENTIALS_INTERNAL_H__ */
diff --git a/auth/credentials/credentials_krb5.c b/auth/credentials/credentials_krb5.c
index 7d7d0248cb4..85ea97521d4 100644
--- a/auth/credentials/credentials_krb5.c
+++ b/auth/credentials/credentials_krb5.c
@@ -1125,7 +1125,7 @@ static int cli_credentials_shallow_ccache(struct cli_credentials *cred)
 _PUBLIC_ struct cli_credentials *cli_credentials_shallow_copy(TALLOC_CTX *mem_ctx,
 						struct cli_credentials *src)
 {
-	struct cli_credentials *dst;
+	struct cli_credentials *dst, *armor_credentials;
 	int ret;
 
 	dst = talloc(mem_ctx, struct cli_credentials);
@@ -1135,6 +1135,14 @@ _PUBLIC_ struct cli_credentials *cli_credentials_shallow_copy(TALLOC_CTX *mem_ct
 
 	*dst = *src;
 
+	if (dst->krb5_fast_armor_credentials != NULL) {
+		armor_credentials = talloc_reference(dst, dst->krb5_fast_armor_credentials);
+		if (armor_credentials == NULL) {
+			TALLOC_FREE(dst);
+			return NULL;
+		}
+	}
+
 	ret = cli_credentials_shallow_ccache(dst);
 	if (ret != 0) {
 		TALLOC_FREE(dst);
@@ -1532,3 +1540,35 @@ _PUBLIC_ int cli_credentials_get_aes256_key(struct cli_credentials *cred,
 
 	return 0;
 }
+
+/* This take a reference to the armor credentials to ensure the lifetime is appropriate */
+
+NTSTATUS cli_credentials_set_krb5_fast_armor_credentials(struct cli_credentials *creds,
+							 struct cli_credentials *armor_creds,
+							 bool require_fast_armor)
+{
+	talloc_unlink(creds, creds->krb5_fast_armor_credentials);
+	if (armor_creds == NULL) {
+		creds->krb5_fast_armor_credentials = NULL;
+		return NT_STATUS_OK;
+	}
+
+	creds->krb5_fast_armor_credentials = talloc_reference(creds, armor_creds);
+	if (creds->krb5_fast_armor_credentials == NULL) {
+		return NT_STATUS_NO_MEMORY;
+	}
+
+	creds->krb5_require_fast_armor = require_fast_armor;
+
+	return NT_STATUS_OK;
+}
+
+struct cli_credentials *cli_credentials_get_krb5_fast_armor_credentials(struct cli_credentials *creds)
+{
+	return creds->krb5_fast_armor_credentials;
+}
+
+bool cli_credentials_get_krb5_require_fast_armor(struct cli_credentials *creds)
+{
+	return creds->krb5_require_fast_armor;
+}