Export (0) Print
Expand All
This topic has not yet been rated - Rate this topic

6 Appendix A: Product Behavior

The information in this specification is applicable to the following Microsoft products or supplemental software. References to product versions include released service packs:

  • Windows 2000 operating system

  • Windows XP operating system

  • Windows Server 2003 operating system

  • Windows Vista operating system

  • Windows Server 2008 operating system

  • Windows 7 operating system

  • Windows Server 2008 R2 operating system

  • Windows 8 operating system

  • Windows Server 2012 operating system

  • Windows 8.1 operating system

  • Windows Server 2012 R2 operating system

Exceptions, if any, are noted below. If a service pack or Quick Fix Engineering (QFE) number appears with the product version, behavior changed in that service pack or QFE. The new behavior also applies to subsequent service packs of the product unless otherwise specified. If a product edition appears with the product version, behavior is different in that product edition.

Unless otherwise specified, any statement of optional behavior in this specification that is prescribed using the terms SHOULD or SHOULD NOT implies product behavior in accordance with the SHOULD or SHOULD NOT prescription. Unless otherwise specified, the term MAY implies that the product does not follow the prescription.

<1> Section 1.9.1: Windows 2000 does not support the RFC Kerberos OID.

<2> Section 2.1: The default values for the message size threshold are shown in the following table for different versions of Windows.

Windows version

Message size

Windows 2000 (initial release)– Windows 2000 SP3

2000 bytes

Windows 2000 SP4

1465 bytes

Windows XP (initial release), Windows XP SP1

2000 bytes

Windows XP SP2

1500 bytes

Windows Server 2003 (initial release), Windows XP 64-Bit Edition, Windows Server 2003 with SP1, Windows Server 2003 R2, Windows Vista, Windows Server 2008, Windows 7, Windows Server 2008 R2, Windows 8, Windows Server 2012, Windows 8.1, and Windows Server 2012 R2.

1465 bytes


Note   Windows NT does not include a Kerberos implementation.

<3> Section 2.2.3: Windows 2000, Windows XP, Windows Server 2003, Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2 do not support transmitting KERB-LOCAL.

<4> Section 2.2.4: The LSAP_TOKEN_INFO_INTEGRITY structure is not supported in Windows 2000, Windows XP, Windows Server 2003, or Windows Vista.

<5> Section 2.2.5: The KERB-AD-RESTRICTION-ENTRY structure is not supported in Windows 2000, Windows XP, Windows Server 2003, or Windows Vista.

<6> Section 2.2.6: The FAST-supported bit is not supported in Windows 2000, Windows XP, Windows Server 2003, Windows Vista, Windows Server 2008, Windows 7 and Windows Server 2008 R2.

<7> Section 2.2.6: The Compound-identity-supported bit is not supported in Windows 2000, Windows XP, Windows Server 2003, Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2.

<8> Section 2.2.6: The Claims-supported bit is not supported in Windows 2000, Windows XP, Windows Server 2003, Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2.

<9> Section 2.2.6: The Resource-SID-compression-disabled bit is not supported in Windows 2000, Windows XP, Windows Server 2003, Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2.

<10> Section 2.2.7: PA-SUPPORTED-ENCTYPES are not supported by Windows 2000, Windows XP, or Windows Server 2003.

<11> Section 2.2.9: PA-PAC-OPTIONS is not supported in Windows 2000, Windows XP, Windows Server 2003, Windows Vista, Windows Server 2008, Windows 7 or Windows Server 2008 R2.

<12> Section 3.1.1.3: Windows has a ticket cache and makes the ticket cache available to client applications at their request. Programmatic methods for querying the contents, purging the contents, or purging individual tickets are also available.

In Windows 2000 and Windows XP, TGTs are not automatically renewed. Where supported, renewal attempts begin at 15 minutes prior to expiration (except for Windows Server 2003 which is 10 minutes), unless the renew-till time (see [RFC4120], section 2.3) of the TGT is within five minutes.

<13> Section 3.1.1.4: In Windows 2000, Windows XP, Windows Server 2003, and Windows Vista, a 32-byte binary random string machine ID is not sent on the wire. When sent, this machine ID is not used by KILE.

<14> Section 3.1.1.5: SupportedEncryptionTypes are not supported in Windows 2000, Windows XP, and Windows Server 2003.

<15> Section 3.1.1.5: The default for SupportedEncryptionTypes in Windows Vista and Windows Server 2008 is 0000001F. The default for Windows Server 2008 R2 DCs is 0000001F.

<16> Section 3.1.1.5: The default for SupportedEncryptionTypes in Windows Vista and Windows Server 2008 is 0000001F. The default for Windows Server 2008 R2, Windows Server 2012, and Windows Server 2012 R2 DCs is 0000001F.

<17> Section 3.1.5.1: PA-SUPPORTED-ENCTYPES are not supported by Windows 2000, Windows XP, or Windows Server 2003.

<18> Section 3.1.5.1: PA-PAC-OPTIONS is not supported in Windows 2000, Windows XP, Windows Server 2003, Windows Vista, Windows Server 2008, Windows 7, or Windows Server 2008 R2.

<19> Section 3.1.5.2: Not supported in Windows 2000, Windows XP, or Windows Server 2003.

<20> Section 3.1.5.2: In Windows 2000 and Windows Server 2003, KDCs select the encryption type based on the preference order in the client request. Otherwise, KDCs select the encryption type used for pre-authentication, or, when pre-authentication is not used, the encryption type based on the preference order in the client request.

<21> Section 3.1.5.2: Supported in Windows 2000, Windows XP, Windows Server 2003, Windows Vista, Windows Server 2008, Windows 7, Windows Server 2008 R2, Windows 8, Windows Server 2012, Windows 8.1, and Windows Server 2012 R2.

<22> Section 3.1.5.2: Supported in Windows 2000, Windows XP, Windows Server 2003, Windows Vista, Windows Server 2008, Windows 7, Windows Server 2008 R2, Windows 8, Windows Server 2012, Windows 8.1, and Windows Server 2012 R2.

<23> Section 3.1.5.2: Supported in Windows 2000, Windows XP, Windows Server 2003, Windows Vista, and Windows Server 2008. Windows 7, Windows Server 2008 R2, Windows 8, Windows Server 2012, Windows 8.1, and Windows Server 2012 R2 systems do not support DES by default.

<24> Section 3.1.5.2: Supported in Windows 2000, Windows XP, Windows Server 2003, Windows Vista, and Windows Server 2008. Windows 7, Windows Server 2008 R2, Windows 8, Windows Server 2012, Windows 8.1, and Windows Server 2012 R2 systems do not support DES by default.

<25> Section 3.1.5.2: In addition to the encryption type values specified in section 3.1.5.2, Windows 2000 and Windows XP send the values -135, -133, and -128. Windows Server 2003, Windows Vista, Windows Server 2008, Windows 7, Windows Server 2008 R2, Windows 8, Windows Server 2012, Windows 8.1, and Windows Server 2012 R2 send the value -135. These are invalid encryption types and are ignored when received; if all encryption type values are so ignored, then the result will be as if no values were sent.

<26> Section 3.1.5.6: IPv6 addresses are not supported in Windows 2000, Windows XP and Windows Server 2003.

<27> Section 3.1.5.8: RODCs are not supported in Windows 2000 and Windows Server 2003.

<28> Section 3.1.5.11: Windows 7, Windows Server 2008 R2, Windows 8, and Windows Server 2012 support "RestrictedKrbHost/<hostname>" to allow developer frameworks to enable Kerberos authentication for code written prior to SPN support.

<29> Section 3.2.5.4: PA-PAC-OPTIONS is not supported in Windows 2000, Windows XP, Windows Server 2003, Windows Vista, Windows Server 2008, Windows 7 or Windows Server 2008 R2.

<30> Section 3.2.5.5: Claims is not supported in Windows 2000, Windows XP, Windows Server 2003, Windows Vista, Windows Server 2008, Windows 7 or Windows Server 2008 R2.

<31> Section 3.2.5.5: FAST is not supported in Windows 2000, Windows XP, Windows Server 2003, Windows Vista, Windows Server 2008, Windows 7 or Windows Server 2008 R2.

<32> Section 3.2.5.6: Not supported in Windows 2000, Windows XP, Windows Server 2003, Windows Vista, and Windows Server 2008.

<33> Section 3.2.5.7: Windows 2000, Windows XP, Windows Server 2003, Windows Vista, and Windows Server 2008 do not support KERB-LOCAL.

<34> Section 3.2.5.7: The following versions of Windows do not support Claims: Windows 2000, Windows XP, Windows Server 2003, Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2.

<35> Section 3.2.5.7: FAST is not supported in Windows 2000, Windows XP, Windows Server 2003, Windows Vista, Windows Server 2008, Windows 7, or Windows Server 2008 R2.

<36> Section 3.2.5.7: Compound Identity and FAST are not supported in Windows 2000, Windows XP, Windows Server 2003, Windows Vista, Windows Server 2008, Windows 7, or Windows Server 2008 R2.

<37> Section 3.2.5.8: No version of Windows uses this field. Windows Vista SP1, Windows 7, Windows Server 2008, and Windows Server 2008 R2 do not send this field on the wire in anticipation of possible future use; all other versions of Windows do.

<38> Section 3.2.6: Windows client implementations include configured values for the initial time-out of 5 seconds, and an increase factor of 5 seconds and 10 seconds to retry 3 times.

<39> Section 3.3.1: Claims, compound identity, FAST, and mixed mode are not supported in Windows 2000, Windows XP, Windows Server 2003, Windows Vista, Windows Server 2008, Windows 7 or Windows Server 2008 R2.

<40> Section 3.3.1.1: KerbSupportedEncryptionTypes are not supported in Windows NT, Windows 2000, Windows XP, and Windows Server 2003. Compound identity is not supported in Windows 2000, Windows XP, Windows Server 2003, Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2.

<41> Section 3.3.3: Claims and FAST are not supported in Windows 2000, Windows XP, Windows Server 2003, Windows Vista, Windows Server 2008, Windows 7, or Windows Server 2008 R2.

<42> Section 3.3.5.1: Claims is not supported in Windows 2000, Windows XP, Windows Server 2003, Windows Vista, Windows Server 2008, Windows 7 or Windows Server 2008 R2.

<43> Section 3.3.5.1: For Active Directories with the msDS-Behavior-Version attribute on a domain NC root object equal to DS_BEHAVIOR_WIN2000, DS_BEHAVIOR_WIN2003_WITH_MIXED_DOMAINS, DS_BEHAVIOR_WIN2003, DS_BEHAVIOR_WIN2008, or DS_BEHAVIOR_WIN2008R2, KDCs continue without FAST.

<44> Section 3.3.5.2: Windows 2000 and Windows Server 2003 KDCs do not support the provisioning of UPNs.

<45> Section 3.3.5.4: Authentication Policy Silos are not supported by Windows 2000, Windows Server 2003, Windows Server 2008, Windows Server 2008 R2, or Windows Server 2012 DCs.

<46> Section 3.3.5.5: Authentication Policies are not supported by Windows 2000, Windows Server 2003, Windows Server 2008, Windows Server 2008 R2, or Windows Server 2012 DCs.

<47> Section 3.3.5.6: DES downgrade protection is not supported in Windows 2000, Windows Server 2003, Windows Server 2008, Windows Server 2008 R2, or Windows Server 2012 KDCs.

<48> Section 3.3.5.6: Not supported in Windows 2000 and Windows Server 2003.

<49> Section 3.3.5.6: Claims and FAST are not supported in Windows 2000, Windows XP, Windows Server 2003, Windows Vista, Windows Server 2008, Windows 7 or Windows Server 2008 R2.

<50> Section 3.3.5.6: PROTECTED_USERS is not supported in Windows 2000, Windows Server 2003, Windows Server 2008, Windows Server 2008 R2, or Windows Server 2012 KDCs.

<51> Section 3.3.5.6: Authentication Policies are not supported by Windows 2000, Windows Server 2003, Windows Server 2008, Windows Server 2008 R2, or Windows Server 2012 KDCs.

<52> Section 3.3.5.6.3.1: In Windows 2000, Windows XP, Windows Server 2003, Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2, the ExtraSids field is NULL and the UserFlags field is zero.

<53> Section 3.3.5.6.3.3: Active Directories with the msDS-Behavior-Version attribute on a domain NC root object equal to DS_BEHAVIOR_WIN2000, DS_BEHAVIOR_WIN2003_WITH_MIXED_DOMAINS, or DS_BEHAVIOR_WIN2003 cannot support AES.

<54> Section 3.3.5.6.3.5: Windows 2000 and Windows Server 2003 do not support UPN and DNS information.

<55> Section 3.3.5.6.3.6: For Active Directories with the msDS-Behavior-Version attribute on a domain NC root object equal to DS_BEHAVIOR_WIN2000, DS_BEHAVIOR_WIN2003_WITH_MIXED_DOMAINS, DS_BEHAVIOR_WIN2003, DS_BEHAVIOR_WIN2008, or DS_BEHAVIOR_WIN2008R2, KDCs will behave as if 1 is set.

<56> Section 3.3.5.7: DES downgrade protection is not supported in Windows 2000, Windows Server 2003, Windows Server 2008, Windows Server 2008 R2, or Windows Server 2012 KDCs.

<57> Section 3.3.5.7: When the account is for a computer object and the value of OperatingSystemVersion ([MS-ADA3] section 2.56) is less than 6, KerbSupportedEncryptionTypes is treated as if it were not populated to ensure that newer encryption types are not attempted with Windows NT, Windows 2000, Windows XP, and Windows Server 2003, which do not support setting KerbSupportedEncryptionTypes.

<58> Section 3.3.5.7: Not supported in Windows 2000 and Windows Server 2003.

<59> Section 3.3.5.7: Not supported in Windows 2000 and Windows Server 2003.

<60> Section 3.3.5.7: Claims and FAST are not supported in Windows 2000, Windows XP, Windows Server 2003, Windows Vista, Windows Server 2008, Windows 7 or Windows Server 2008 R2.

<61> Section 3.3.5.7: DES downgrade protection is not supported in Windows 2000, Windows Server 2003, Windows Server 2008, Windows Server 2008 R2, or Windows Server 2012 KDCs.

<62> Section 3.3.5.7: Authentication Policies are not supported in Windows 2000, Windows Server 2003, Windows Server 2008, Windows Server 2008 R2, or Windows Server 2012 KDCs.

<63> Section 3.3.5.7: The following versions of Windows do not support Claims: Windows 2000, Windows XP, Windows Server 2003, Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2.

<64> Section 3.3.5.7: Windows 2000, Windows XP, Windows Server 2003, Windows Vista, and Windows Server 2008 do not support KERB-LOCAL.

<65> Section 3.3.5.7.1: Windows uses 20 minutes as the time value at which a TGT is verified to be in good standing.

<66> Section 3.3.5.7.3: Resource SID compression is not supported in Windows 2000, Windows XP, Windows Server 2003, Windows Vista, Windows Server 2008, Windows 7, or Windows Server 2008 R2.

<67> Section 3.3.5.7.4: Compound identity is not supported in Windows 2000, Windows Server 2003, Windows Server 2008, or Windows Server 2008 R2 KDCs.

<68> Section 3.3.5.7.5: DES downgrade protection is not supported in Windows 2000, Windows Server 2003, Windows Server 2008, Windows Server 2008 R2, or Windows Server 2012 KDCs.

<69> Section 3.3.5.7.6: Not supported in Windows 2000 and Windows Server 2003.

<70> Section 3.4.1: Channel binding is not supported in Windows 2000, Windows XP, Windows Server 2003, Windows Vista, and Windows Server 2008.

<71> Section 3.4.3.1: Not supported in Windows 2000, Windows XP and Windows Server 2003.

<72> Section 3.4.3.1: Not supported in Windows 2000, Windows XP and Windows Server 2003.

<73> Section 3.4.5: SPNs with serviceclass string equal to "RestrictedKrbHost" are not supported in Windows 2000, Windows XP, Windows Server 2003, Windows Vista, or Windows Server 2008.

<74> Section 3.4.5: The ApplicationRequiresCBT parameter is not supported in Windows 2000, Windows XP, Windows Server 2003, Windows Vista, or Windows Server 2008.

<75> Section 3.4.5: DES downgrade protection is not supported in Windows 2000, Windows XP, Windows Server 2003, Windows Vista, Windows Server 2008, Windows 7, Windows Server 2008 R2, Windows 8, or Windows Server 2012.

<76> Section 3.4.5.3: Windows 2000, Windows XP, Windows Server 2003, Windows Vista, and Windows Server 2008 do not support KERB-LOCAL.

<77> Section 3.4.5.3: Not supported in Windows 2000, Windows XP, Windows Server 2003, Windows Vista, and Windows Server 2008.

<78> Section 3.4.5.3: Claims is not supported in Windows 2000, Windows XP, Windows Server 2003, Windows Vista, Windows Server 2008, Windows 7 or Windows Server 2008 R2.

<79> Section 3.4.5.3: Compound identity is not supported in Windows 2000, Windows XP, Windows Server 2003, Windows Vista, Windows Server 2008, Windows 7 or Windows Server 2008 R2.

<80> Section 3.4.5.3: Compound identity and claims are not supported in Windows 2000, Windows XP, Windows Server 2003, Windows Vista, Windows Server 2008, Windows 7 or Windows Server 2008 R2.

 
Did you find this helpful?
(1500 characters remaining)
Thank you for your feedback
Show:
© 2014 Microsoft. All rights reserved.