The following terms are defined in [MS-GLOS]:
Authentication Service (AS)
directory service (DS)
distinguished name (DN)
fully qualified domain name (FQDN)
Generic Security Services (GSS)
Internet host name
Key Distribution Center (KDC)
object identifier (OID)
privilege attribute certificate (PAC)
read-only domain controller (RODC)
Security Support Provider Interface (SSPI)
service principal name (SPN)
service (SRV) resource record
ticket-granting service (TGS)
ticket-granting service (TGS) exchange
ticket-granting ticket (TGT)
The following terms are specific to this document:
Compound identity TGS-REQ: A FAST TGS-REQ that uses explicit FAST armoring using the computer's TGT.
context session key: A variant of a cryptographic key used in the generation and processing of per-message tokens that uses the Kerberos session key directly ([RFC1964] section 1.2).
FAST armor: Using a TGT for the principal to protect Kerberos messages, as described in [RFC6113].
Flexible Authentication Secure Tunneling (FAST): FAST provides a protected channel between the client and the Key Distribution Center (KDC).
integrity level: The attributed trustworthiness of an entity or object.
"RestrictedKrbHost" services: The class of services that use SPNs with the serviceclass string equal to "RestrictedKrbHost", whose service tickets use the computer account's key and share a session key. For information on the serviceclass string, see section 18.104.22.168.
security package: The software implementation of a security protocol. Security packages are contained in security support provider components or security support provider/authentication package components.
MAY, SHOULD, MUST, SHOULD NOT, MUST NOT: These terms (in all caps) are used as described in [RFC2119]. All statements of optional behavior use either MAY, SHOULD, or SHOULD NOT.