Export (0) Print
Expand All

3.3.5.7 TGS Exchange

Kerberos V5 specifies the TGS exchange ([RFC4120] section 3.3).

KILE supports the following extensions to the TGS exchange:

  • Check Account Policy for Every Session Ticket Request

  • TGT without a PAC

  • Domain Local Group Membership

  • Cross-Domain Trust and Referrals

If the TGT received is encrypted with DES and not a referral TGT from a realm that only supports DES, then the KDC MUST return KDC_ERR_ETYPE_NOTSUPP.<56>

If the server or service has a KerbSupportedEncryptionTypes populated with supported encryption types,<57> then the KDC SHOULD<58> return in the encrypted part ([Referrals-11] Appendix A) of TGS-REP message PA-DATA with padata-type set to PA-SUPPORTED-ENCTYPES (165), to indicate what encryption types are supported by the server or service. If not, the KDC SHOULD<59> check the server or service account's UseDESOnly flag:

  • If UseDESOnly is set: the KDC SHOULD, in the encrypted pre-auth data part ([Referrals-11], Appendix A) of the TGS-REP message, include PA-DATA with the padata-type set to PA-SUPPORTED-ENCTYPES (165), and the padata-value set to 0x3 (section 2.2.6).

  • Otherwise:

    • If the account is krbtgt, and domainControllerFunctionality returns a value < 3 ([MS-ADTS] section 3.1.1.3.2.25): the KDC SHOULD, in the encrypted pre-auth data part ([Referrals-11], Appendix A) of the TGS-REP message, include PA-DATA with padata-type set to PA-SUPPORTED-ENCTYPES (165), and the padata-value set to 0x7 (section 2.2.6).

    • If the account is krbtgt, and domainControllerFunctionality returns greater than or equal to3: the KDC SHOULD, in the encrypted pre-auth data part ([Referrals-11], Appendix A) of the TGS-REP message, include PA-DATA with the padata-type set to PA-SUPPORTED-ENCTYPES (165), the padata-value set to 0x1F (section 2.2.6), the Claims-supported bit if claims is supported, and the FAST-supported bit if FAST is supported.<60>

    • DES MUST NOT be used to protect the service ticket. If DES is the only configured etype, the KDC MUST return KDC_ERR_ETYPE_NOTSUPP.<61>

If the Application Server's service account AuthorizationDataNotRequired is set to TRUE, the KDC MUST NOT include a PAC in the service ticket.

If the OTHER_ORGANIZATION SID ([MS-DTYP] section 2.4.2.4) is in KERB_VALIDATION_INFO.ExtraSids, the PAC MUST be used to perform an access check for the Allowed-To-Authenticate right ([MS-ADTS] section 6.1.1.2.7.41) against the Active Directory object of the account for which the service ticket request is being made. If the access check succeeds, the service ticket MUST be issued; otherwise, the KDC MUST return KDC_ERR_POLICY.

If domainControllerFunctionality returns a value >= 6 ([MS-ADTS] section 3.1.1.3.2.25), the KDC MUST determine whether an Authentication Policy is applied to the server or service (section 3.3.5.5); if Enforced is TRUE then:<62>

  • If AllowedToAuthenticateTo is not NULL, the PAC of the user and the PAC of the armor TGT MUST be used to perform an access check for the ACTRL_DS_CONTROL_ACCESS right with additional rights GUID against the AllowedToAuthenticateTo. If the access check fails, the KDC MUST return KDC_ERR_POLICY.

If there are no claims in the PAC and the PA-PAC-OPTIONS [167] (section 2.2.9) PA-DATA type does not have the Claims bit set, then the KDC SHOULD NOT call the TransformClaimsOnTrustTraversal procedure ([MS-ADTS] section 3.1.1.11.2.11). Otherwise the KDC SHOULD call this procedure.<63>

When KERB-LOCAL data is present, the KDC SHOULD copy the authorization data field ([RFC4120] section 5.2.6) with ad-type KERB-LOCAL (142) and ad-data containing KERB-LOCAL structure (section 2.2.3) as an AD-IF-RELEVANT to the end of authorization data in the service ticket.<64>

The KILE KDC MUST copy the populated fields from the PAC in the TGT to the newly created PAC and, after processing all fields it supports, the KILE KDC MUST generate a new Server Signature (section 3.3.5.6.3.3) and KDC Signature (section 3.3.5.6.3.4) which replace the existing signature fields in the PAC. The KDC MUST ensure that the PAC structure specified in [MS-PAC] does not end with a zero-length buffer.

 
Show:
© 2014 Microsoft