Export (0) Print
Expand All

3.4.5.3 Processing Authorization Data

Kerberos V5 specifies rules for processing the authorization data field in [RFC4120] section 5.2.6.

KILE MUST unpack the authorization data field ([RFC4120] section 5.2.6) and look for an AD-WIN2K-PAC structure ([RFC4120] section 7.5.4). If the structure is valid according to the PAC specification [MS-PAC], the server MUST verify the server signature. To verify the server signature, the Signature field values are removed from the PAC buffer and replaced with zeros. Then the hash is generated [RFC4757] and the resulting hash is compared with the server signature ([MS-PAC] section 2.8.1) Signature field value. If the PAC is valid, it SHOULD be used as the authorization information.

The server MUST check if KERB-AD-RESTRICTION-ENTRY.Restriction.MachineID (section 2.2.5) is equal to Machine ID (section 3.1.1.4):

  • If equal, the server SHOULD process the authentication as a local one, because the client and server are on the same machine, and MAY use the KERB-LOCAL AuthorizationData for any local implementation purposes.<76>

  • Otherwise, the server MUST ignore the KERB_AUTH_DATA_TOKEN_RESTRICTIONS [141] Authorization Data Type, the KERB-AD-RESTRICTION-ENTRY structure (section 2.2.5), the KERB-LOCAL (142), and the containing KERB-LOCAL structure (section 2.2.3).<77>

For KILE implementations that use a security identifier (SID)-based authorization model, the server SHOULD populate the User SID and Security Group SIDs in the ImpersonationAccessToken parameter (section 3.4.1) as follows:

  • Concatenate LogonDomainId ([MS-PAC] section 2.5) and UserId [MS-PAC] section 2.5), add to the ImpersonationAccessToken.Sids array, and set the ImpersonationAccessToken.UserIndex field to this index.

  • Concatenate LogonDomainId ([MS-NRPC] sections 2.2.1.4.11, 2.2.1.4.12, and 2.2.1.4.13) and PrimaryGroupId ([MS-NRPC] sections 2.2.1.4.11, 2.2.1.4.12, and 2.2.1.4.13), add the result to the ImpersonationAccessToken.Sids array, and set the ImpersonationAccessToken.PrimaryGroup field to this index.

  • For each GroupIds ([MS-PAC] section 2.2.2), concatenate LogonDomainId ([MS-PAC] section 2.5) and GroupIds.RelativeID ([MS-PAC] section 2.2.2) and add to the ImpersonationAccessToken.Sids array.

  • For each ExtraSids ([MS-PAC] section 2.2.2), add the ExtraSids.Sid ([MS-PAC] section 2.2.2) to the ImpersonationAccessToken.Sids array.

  • If a PAC_CLIENT_CLAIMS_INFO structure ([MS-PAC] section 2.11) and CLAIMS_VALID SID ([MS-DTYP] section 2.4.2.4) are in KERB_VALIDATION_INFO.ExtraSids, then the server SHOULD set the ImpersonationAccessToken.UserClaims field to the value of the Claims field.<78>

  • If a PAC_DEVICE_INFO structure ([MS-PAC] section 2.12) and COMPOUNDED_AUTHENTICATION SID ([MS-DTYP] section 2.4.2.4) are in KERB_VALIDATION_INFO.ExtraSids, then the server SHOULD populate the User SID and Security Group SIDs in the ImpersonationAccessToken.DeviceSids array (section 3.4.1) as follows:<79>

    • Concatenate the AccountDomainId ([MS-PAC] section 2.12) and PrimaryGroupId ([MS-PAC] section 2.12) fields, add the result to the ImpersonationAccessToken.DeviceSids array, and set the ImpersonationAccessToken.DevicePrimaryGroup field to the index of the newly added SID.

    • For each AccountGroupIds ([MS-PAC] section 2.5), concatenate AccountDomainId ([MS-PAC] section 2.12) and AccountGroupIds.DevieRelativeID ([MS-PAC] section 2.2.2) and add to the ImpersonationAccessToken.DeviceSids array.

    • For each ExtraSids ([MS-PAC] section 2.5), add the ExtraSids.Sid ([MS-PAC] section 2.5) to the ImpersonationAccessToken.DeviceSids array.

    • For each DomainGroup: for each DomainGroup.DomainId ([MS-PAC] section 2.2.3), concatenate DomainGroup.DomainId ([MS-PAC] section 2.2.3) and DomainGroup.GroupIds.RelativeID ([MS-PAC] section 2.2.2) and add to the ImpersonationAccessToken.DeviceSids array.

  • If CLAIMS_VALID SID ([MS-DTYP] section 2.4.2.4) is in PAC_DEVICE_INFO.ExtraSids and COMPOUNDED_AUTHENTICATION SID ([MS-DTYP] section 2.4.2.4) is in KERB_VALIDATION_INFO.ExtraSids, then the server SHOULD set ImpersonationAccessToken.DeviceClaims to Claims.<80>

The server SHOULD call GatherGroupMembershipForSystem ([MS-DTYP] section 2.5.2.1.1) where InitialMembership contains the ImpersonationAccessToken.Sids array and set ImpersonationAccessToken.Sids array to FinalMembership.

The server SHOULD call AddPrivilegesToToken ([MS-DTYP] section 2.5.2.1.2) where Token contains ImpersonationAccessToken.

Other SIDs may be added to the ImpersonationAccessToken following authentication (see [MS-DTYP] section 2.7.1).

 
Show:
© 2014 Microsoft