Export (0) Print
Expand All

3.3.5.6 AS Exchange

Kerberos V5 specifies the AS exchange ([RFC4120] section 3.1). KILE also supports extensions to the AS exchange specified in [Referrals-11], [RFC5349], [RFC4556], and [MS-PKCA].

If Pre-AuthenticationNotRequired is set to TRUE on the principal, the KDC MUST issue a TGT without validating pre-authentication data ([RFC4120] section 7.5.2) provided.

If DES is used for pre-authentication, the KDC MUST:<47>

  • If UseDESOnly is not set: the KDC MUST return KDC_ERR_ETYPE_NOTSUPP.

  • Otherwise, if the account is:

    • krbtgt: the KDC MUST return KDC_ERR_ETYPE_NOTSUPP.

    • The computer account of a KDC: the KDC MUST return KDC_ERR_ETYPE_NOTSUPP.

The KDC SHOULD<48> return in the encrypted part of the AS-REP message PA-DATA with padata-type set to PA-SUPPORTED-ENCTYPES (165), to indicate what encryption types are supported by the KDC, and whether Claims or FAST are supported.<49>

If domainControllerFunctionality returns a value >= 6 ([MS-ADTS] section 3.1.1.3.2.25), the KDC MUST check whether the account is a member of PROTECTED_USERS ([MS-DTYP] section 2.4.2.4). If it is a member of PROTECTED_USERS, then:<50>

  • If pre-authentication used DES or RC4, the KDC MUST return KDC_ERR_POLICY.

  • MaxRenewAge (section 3.3.1) for the TGT is 4 hours unless specified by policy.

  • MaxTicketAge (section 3.3.1) for the TGT is 4 hours unless specified by policy.

If domainControllerFunctionality returns a value >= 6, the KDC MUST determine whether an Authentication Policy is applied to the account (section 3.3.5.5). If Enforced is TRUE, then:<51>

  • If TGTLifetime is not 0: MaxRenewAge for the TGT is TGTLifetime.

  • If TGTLifetime is not 0: MaxTicketAge for the TGT is TGTLifetime.

  • If AllowedToAuthenticateFrom is not NULL, the PAC of the armor TGT MUST be used to perform an access check for the ACTRL_DS_CONTROL_ACCESS right with additional rights GUID against the AllowedToAuthenticateFrom. If the access check fails, the KDC MUST return KDC_ERR_POLICY.

The KDC SHOULD check whether the krbtgt account has the UseDESOnly flag:

  • If the UseDESOnly flag is set: the KDC SHOULD, in the encrypted pre-auth data part ([Referrals-11], Appendix A) of the AS-REP message, include PA-DATA with the padata-type set to PA-SUPPORTED-ENCTYPES (165), and the padata-value set to 0x3 (section 2.2.6).

  • Otherwise:

    • If domainControllerFunctionality returns a value < 3 ([MS-ADTS] section 3.1.1.3.2.25): the KDC SHOULD, in the encrypted pre-auth data part ([Referrals-11], Appendix A) of the AS-REP message, include PA-DATA with the padata-type set to PA-SUPPORTED-ENCTYPES (165), and the padata-value set to 0x7 (section 2.2.6).

    • If domainControllerFunctionality returns a value >= 3: the KDC SHOULD, in the encrypted pre-auth data part ([Referrals-11], Appendix A) of the AS-REP message, include PA-DATA with the padata-type set to PA-SUPPORTED-ENCTYPES (165), and the padata-value set to 0x1F (section 2.2.6).

 
Show:
© 2014 Microsoft