Export (0) Print
Expand All

6 Appendix A: Product Behavior

The information in this specification is applicable to the following Microsoft products or supplemental software. References to product versions include released service packs:

  • Windows 2000 operating system

  • Windows XP operating system

  • Windows Server 2003 operating system

  • Windows Vista operating system

  • Windows Server 2008 operating system

  • Windows 7 operating system

  • Windows Server 2008 R2 operating system

  • Windows 8 operating system

  • Windows Server 2012 operating system

  • Windows 8.1 operating system

  • Windows Server 2012 R2 operating system

Exceptions, if any, are noted below. If a service pack or Quick Fix Engineering (QFE) number appears with the product version, behavior changed in that service pack or QFE. The new behavior also applies to subsequent service packs of the product unless otherwise specified. If a product edition appears with the product version, behavior is different in that product edition.

Unless otherwise specified, any statement of optional behavior in this specification that is prescribed using the terms SHOULD or SHOULD NOT implies product behavior in accordance with the SHOULD or SHOULD NOT prescription. Unless otherwise specified, the term MAY implies that the product does not follow the prescription.

<1> Section 1.3.2: Constrained delegation is not supported on Windows 2000.

<2> Section 1.3.3: In Windows Server 2003, Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2, Service 1 and Service 2 must be in the same realm. The user, however, can be in a different realm.

<3> Section 1.3.3: The S4U protocol extensions are not supported on Windows 2000 or Windows XP.

<4> Section 1.5: Windows 2000 Server and Windows XP will ignore the S4U_DELEGATION_INFO PAC buffer if it is present. Windows 2000 Server and Windows XP can process the PAC_CLIENT_INFO buffer. For more information, see section 3.1.5.1.1.

<5> Section 2.2.2: Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2 will send the PA-S4U-X509-USER padata type alone if the user's certificate is available. If the user's certificate is not available, it will send both the PA-S4U-X509-USER padata type and the PA-FOR-USER padata type. When the PA-S4U-X509-USER padata type is used without the user's certificate, the certificate field is not present.

Windows domain controllers starting with Windows Server 2008, will first look for the information in the PA-S4U-X509-USER padata type if present; if it is not present Windows Server 2008 will look at the PA-FOR-USER padata type.

In Windows 2000 Server, Windows Server 2003, and Windows Server 2008 with SP2, KDCs do not add the PA-S4U-X509-USER padata type in the encrypted-pa-data field in TGS-REP.

<6> Section 2.2.2: As of Windows 7 and Windows Server 2008 R2, Windows S4U clients always set this option. If the KDC is running Windows Server 2008 R2, it will reply with the same option bit in the reply.

<7> Section 2.2.5: Resource-based constrained delegation is not supported in Windows 2000, Windows XP, Windows Server 2003, Windows Vista, Windows Server 2008, Windows 7, or Windows Server 2008 R2.

<8> Section 3.1: Windows 2000 and Windows XP do not support S4U.

<9> Section 3.1.5.1.1: Claims is not supported in Windows 2000, Windows XP, Windows Server 2003, Windows Vista, Windows Server 2008, Windows 7, or Windows Server 2008 R2.

<10> Section 3.1.5.1.1: Resource-based constrained delegation is not supported in Windows 2000, Windows XP, Windows Server 2003, Windows Vista, Windows Server 2008, Windows 7, or Windows Server 2008 R2.

<11> Section 3.1.5.1.1.2: S4U2self requests using the user's certificate are supported only on Windows Vista, Windows Server 2008, Windows 7, Windows Server 2008 R2, Windows 8, Windows Server 2012, Windows 8.1, and Windows Server 2012 R2. Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, and Windows Server 2012 R2 KDCs support a number of mapping options:

  • Based on the user principal name (UPN) contained in the SubjectAltName (SAN) field of the certificate

  • Based on the issuer name and subject name combination

  • Based on the subject name alone

  • Based on subject name and serial number in the certificate

  • Based on the subject key identifier

  • Based on the SHA1 hash of the public key

  • Based on the user's email name as defined in [RFC822]

The algorithm used to locate the user account is as follows:

  • If the certificate contains an SAN/UPN extension, KDC will use that to map the client. If the certificate contains an SAN/UPN extension and no user object is found based on the UPN, the authentication fails.

  • If there is no UPN in the certificate, the KDC constructs the string "X509:<I><S>" (where "I" is the value from the Issuer field and "S" is the value from the Subject field in the certificate) to look up.

  • If there is no UPN in the certificate and no user object is located in the previous steps, the client account is looked up based on the distinguished name (DN) of the subject; the KDC constructs the "X509:<S>" string (where "S" is the value from the Subject field in the certificate) to look up.

  • If there is no UPN in the certificate and no user object is located in the previous steps, the KDC uses the subject and serial number to construct the "X509:<S><SR>" string (where "S" is the subject name and "SR" is the serial number from the certificate) to look up.

  • If there is no UPN in the certificate and no user object is located, and the client certificate contains a subject key identifier, the KDC constructs the "X509:<SKI>" string (where "SKI" is the subject key identifier) to look up.

  • If there is no UPN in the certificate and no user object is located in the previous steps, the KDC constructs the "X509:<SHA1-PUKEY>" string to look up.

  • If there is no UPN in the certificate and no user object is located in the previous steps, the client account is looked up based on the SAN/822name, and the KDC constructs the "X509:<RFC822>" string to look up.

<12> Section 3.1.5.2.1: Resource-based constrained delegation is not supported in Windows 2000, Windows XP, Windows Server 2003, Windows Vista, Windows Server 2008, Windows 7, or Windows Server 2008 R2.

<13> Section 3.1.5.2.1: Resource-based constrained delegation is not supported in Windows 2000, Windows XP, Windows Server 2003, Windows Vista, Windows Server 2008, Windows 7, or Windows Server 2008 R2.

<14> Section 3.1.5.2.2: In Windows Server 2003, Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2, the SFU client does not support referrals for S4U2Proxy.

<15> Section 3.1.5.2.3: In Windows Server 2003, Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2, the SFU client does not support KRB-ERR-BADOPTION retries.

<16> Section 3.2: Windows 2000 KDCs do not support S4U.

<17> Section 3.2.1: Windows Server 2003, Windows Server 2008, and Windows Server 2008 R2 KDCs do not support ServicesAllowedToReceiveForwardedTicketsFrom.

<18> Section 3.2.5.1.2: Windows Server 2003, Windows Server 2008, and Windows Server 2008 R2 KDCs do not set the FORWARDABLE ticket flag based on the ServicesAllowedToSendForwardedTicketsTo parameter.

<19> Section 3.2.5.1.2: Windows Server 2003, Windows Server 2008, and Windows Server 2008 R2 KDCs do not set the FORWARDABLE ticket flag based on the ServicesAllowedToSendForwardedTicketsTo parameter.

<20> Section 3.2.5.1.2: In Windows 2000, Windows XP, Windows Server 2003, Windows Vista, Windows Server 2008, Windows 7, or Windows Server 2008 R2, the SidCount field MUST be set to zero and the ExtraSids field MUST be NULL.

<21> Section 3.2.5.2: Windows 2000, Windows Server 2003, Windows Server 2008, or Windows Server 2008 R2 KDC will always return KRB-ERR-BADOPTION when not forwardable.

<22> Section 3.2.5.2: Windows Server 2003, Windows Server 2008, and Windows Server 2008 R2 KDCs return KRB-ERR-BADOPTION whenever Service 1 and Service 2 do not belong to the same realm.

<23> Section 3.2.5.2.1: Windows Server 2003, Windows Server 2008, and Windows Server 2008 R2 KDCs do not support ServicesAllowedToReceiveForwardedTicketsFrom.

<24> Section 3.2.5.2.1: Windows Server 2003, Windows Server 2008, and Windows Server 2008 R2 KDCs do not support ServicesAllowedToReceiveForwardedTicketsFrom.

<25> Section 3.2.5.2.1.1: Windows Server 2003, Windows Server 2008, and Windows Server 2008 R2 KDCs do not support ServicesAllowedToReceiveForwardedTicketsFrom.

<26> Section 4.3: The TGS checks the service's account in Active Directory for the Allowed-to-Authenticate-for-Delegation setting. The UserAccountControl flag for this feature is 0x1000000.

The following behavior is applicable to Windows 7 and Windows Server 2008 R2 only: The padata type PA-S4U-X509-USER (ID 130) is used in the encrypted-pa-data and the KERB_S4U_OPTIONS_use_reply_key_usage option bit is set (KERB_S4U_OPTIONS_use_reply_key_usage is described in section 2.2.2).

 
Show:
© 2014 Microsoft