2.2.65 FW_AUTH_SET

  • Article

This structure contains a list of FW_AUTH_SUITE elements that are ordered from highest to lowest preference and are negotiated with remote peers to establish authentication algorithms.

 typedef struct _tag_FW_AUTH_SET {
   struct _tag_FW_AUTH_SET* pNext;
   unsigned short wSchemaVersion;
   [range(FW_IPSEC_PHASE_INVALID+1, FW_IPSEC_PHASE_MAX-1)] 
     FW_IPSEC_PHASE IpSecPhase;
   [string, range(1,255), ref] wchar_t* wszSetId;
   [string, range(1,10001)] wchar_t* wszName;
   [string, range(1,10001)] wchar_t* wszDescription;
   [string, range(1,10001)] wchar_t* wszEmbeddedContext;
   [range(0,1000)] unsigned long dwNumSuites;
   [size_is(dwNumSuites)] PFW_AUTH_SUITE pSuites;
   [range(FW_RULE_ORIGIN_INVALID,FW_RULE_ORIGIN_MAX-1)] 
     FW_RULE_ORIGIN_TYPE Origin;
   [string, range(1,10001)] wchar_t* wszGPOName;
   FW_RULE_STATUS Status;
   unsigned long dwAuthSetFlags;
 } FW_AUTH_SET,
  *PFW_AUTH_SET;

pNext: A pointer to the next FW_AUTH_SET in the list.

wSchemaVersion: Specifies the version of the set.

IpSecPhase: This field is of type FW_IPSEC_PHASE, and it specifies if this authentication set applies for first or second authentications.

wszSetId: A pointer to a Unicode string that uniquely identifies the set. The primary set for this policy object is identified with the "{E5A5D32A-4BCE-4e4d-B07F-4AB1BA7E5FE3}" string for Phase1 and the "{E5A5D32A-4BCE-4e4d-B07F-4AB1BA7E5FE4}" string for Phase2.

wszName: A pointer to a Unicode string that provides a friendly name for the set.

wszDescription: A pointer to a Unicode string that provides a friendly description for the set.

wszEmbeddedContext: A pointer to a Unicode string that provides a way for applications to store relevant application-specific context that is related to the set.

dwNumSuites: Specifies the number of authentication suites that the structure contains.

pSuites: A pointer to an array of FW_AUTH_SUITE elements. The number of elements is given by dwNumSuites.

Origin: This field is the set origin, as specified in the FW_RULE_ORIGIN_TYPE enumeration. It MUST be filled on enumerated rules and ignored on input.

wszGPOName: A pointer to a Unicode string containing the displayName of the GPO containing this object. When adding a new object, this field is not used. The client SHOULD set the value to NULL, and the server MUST ignore the value. When enumerating an existing object, if the client does not set the FW_ENUM_RULES_FLAG_RESOLVE_GPO_NAME flag, the server MUST set the value to NULL. Otherwise, the server MUST set the value to the displayName of the GPO containing the object or NULL if the object is not contained within a GPO. For details about how the server initializes an object from a GPO, see section 3.1.3. For details about how the displayName of a GPO is stored, see [MS-GPOL] section 2.3.

Status: The status code of the set which MUST be one of the values defined in the FW_RULE_STATUS enumeration. This field's value is assigned when the structure is returned as output. When first sent, this field MUST be set to FW_RULE_STATUS_OK.

dwAuthSetFlags: Bit flags from FW_AUTH_SET_FLAGS.

The following are semantic checks that authentication sets MUST pass:

  • The wSchemaVersion field MUST NOT be less than 0x000200.

  • The wszSetId field MUST NOT contain the pipe (|) character, MUST NOT be NULL, MUST be a string of at least 1 character long, and MUST NOT be greater than or equal to 255 characters.

  • If the wszName field string is not NULL, it MUST be at least 1 character long, MUST NOT be greater than or equal to 10,000 characters, and MUST NOT contain the pipe (|) character.

  • If the wszDescription field string is not NULL, it MUST be at least 1 character long, MUST NOT be greater than or equal to 10,000 characters, and MUST NOT contain the pipe (|) character.

  • If the wszEmbeddedContext field string is not NULL, it MUST be at least 1 character long, its length MUST NOT be greater than or equal to 10,000 characters, and MUST NOT contain the pipe (|) character.

    If the method of a suite is machine certificate or user certificate, and its pCertCriteria field is not NULL, then the wSchemaVersion of the pCertCriteria field MUST be equal to the schema version specified in the wSchemaVersion field of the auth set containing the suite.

  • The IpSecPhase field MUST have valid FW_IPSEC_PHASE values.

  • If IpSecPhase is FW_IPSEC_PHASE_1:

    • The wszSetId field MUST NOT have the primary phase 1 authentication set ID as a prefix.

    • The authentication set MUST have at least one authentication suite.

    • The dwNumSuites field MUST agree with the pSuites field.

    • The authentication suites methods MUST each be either FW_AUTH_METHOD_ANONYMOUS, FW_AUTH_METHOD_MACHINE_KERB, FW_AUTH_METHOD_MACHINE_NTLM, FW_AUTH_METHOD_MACHINE_CERT, or FW_AUTH_METHOD_MACHINE_SHKEY.

    • Authentication suites that have a method other than machine certificate MUST have the wFlags field of the same suite set to 0.

    • If the set schema policy version is 0x200, the wFlags field MUST NOT contain the FW_AUTH_SUITE_FLAGS_CERT_SIGNING_ECDSA256 or the FW_AUTH_SUITE_FLAGS_CERT_SIGNING_ECDSA384 flags.

    • The wFlags field MUST NOT contain both the FW_AUTH_SUITE_FLAGS_CERT_SIGNING_ECDSA256 and the FW_AUTH_SUITE_FLAGS_CERT_SIGNING_ECDSA384 flags.

    • All suites that have the FW_AUTH_METHOD_MACHINE_CERT method and a wFlags field with the FW_AUTH_SUITE_FLAGS_CERT_SIGNING_ECDSA256 flag set, MUST be contiguous. The same applies for those suites that have the FW_AUTH_SUITE_FLAGS_CERT_SIGNING_ECDSA384 flag set, and those suites that have neither flag set (they default to RSA signing).

    • All such contiguous suites that have a specific signing flag (either none, ECDSA256, or ECDSA384) MUST have the same value for the FW_AUTH_SUITE_FLAGS_HEALTH_CERT flag.

    • The set MUST NOT have more than one suite that has the anonymous method (FW_AUTH_METHOD_ANONYMOUS), or that has the machine kerb method (FW_AUTH_METHOD_MACHINE_KERB), or that has the machine ntlm method (FW_AUTH_METHOD_MACHINE_NTLM), or that has the machine shkey method (FW_AUTH_METHOD_MACHINE_SHKEY), as defined in section 2.2.60.<19>

    • The set MUST NOT have a suite that has an NTLM Authentication Protocol method (as specified in [MS-NLMP]) and a suite SHKey method.

    • If the set has a machine certificate suite that has a wFlags field that contains the flag FW_AUTH_SUITE_FLAGS_HEALTH_CERT, all machine certificate method suites in the set MUST also have this flag.

    • If the set schema policy version is less than 0x214, the set MUST NOT have suites that contain the FW_AUTH_METHOD_MACHINE_NEGOEX authentication method.

  • If the IpSecPhase is FW_IPSEC_PHASE_2:

    • The wszSetId MUST NOT have the primary phase 2 authentication set ID as a prefix.

    • The dwNumSuites field MUST agree with the pSuites field.

    • The authentication suites methods MUST each be one of FW_AUTH_METHOD_ANONYMOUS, FW_AUTH_METHOD_USER_KERB, FW_AUTH_METHOD_USER_NTLM, FW_AUTH_METHOD_USER_CERT, or FW_AUTH_METHOD_MACHINE_CERT.

    • The set MUST NOT have a suite that has the anonymous method as the only suite.

    • Suites in the set MUST NOT contain FW_AUTH_SUITE_FLAGS_CERT_EXCLUDE_CA_NAME.

    • Suites that have user certificate methods MUST NOT contain the FW_AUTH_SUITE_FLAGS_HEALTH_CERT flag; however, suites that have machine certificate methods MUST contain it.

    • Authentication suites that have a method other than machine certificate or user certificate MUST have the wFlags field of the same suite set to 0.

    • If the set schema policy version is 0x200, the wFlags field MUST NOT contain the FW_AUTH_SUITE_FLAGS_CERT_SIGNING_ECDSA256 or the FW_AUTH_SUITE_FLAGS_CERT_SIGNING_ECDSA384 flags.

    • The wFlags field MUST NOT contain both the FW_AUTH_SUITE_FLAGS_CERT_SIGNING_ECDSA256 and the FW_AUTH_SUITE_FLAGS_CERT_SIGNING_ECDSA384 flags.

    • All suites that have a FW_AUTH_METHOD_MACHINE_CERT method and a wFlags field with the FW_AUTH_SUITE_FLAGS_CERT_SIGNING_ECDSA256 flag set, MUST be contiguous. The same applies to those suites that have the FW_AUTH_SUITE_FLAGS_CERT_SIGNING_ECDSA384 flag set and those suites that have neither flag set (they default to RSA signing).

    • The set MUST NOT have more than one suite that has the anonymous method (FW_AUTH_METHOD_ANONYMOUS), or that has the user kerb method (FW_AUTH_METHOD_USER_KERB), or that has the user ntlm method (FW_AUTH_METHOD_USER_NTLM), as defined in section 2.2.60.<20>

    • A set that contains a suite that has the machine certificate method MUST NOT contain suites that have the user certificate method.

    • A set that contains a suite that has the machine certificate method MUST only contain suites that have machine certificate or anonymous methods.