Home Library Learn Downloads Support Community
Sign in | United States - English | |
This topic has not yet been rated - Rate this topic

6 Appendix A: Product Behavior

The information in this specification is applicable to the following Microsoft products or supplemental software. References to product versions include released service packs:

  • Microsoft Windows® 2000 operating system

  • Windows® XP operating system

  • Windows Server® 2003 operating system

  • Windows Vista® operating system

  • Windows Server® 2008 operating system

  • Windows® 7 operating system

  • Windows Server® 2008 R2 operating system

  • Windows® 8 Consumer Preview operating system

  • Windows Server® 8 Beta operating system

Exceptions, if any, are noted below. If a service pack or Quick Fix Engineering (QFE) number appears with the product version, behavior changed in that service pack or QFE. The new behavior also applies to subsequent service packs of the product unless otherwise specified. If a product edition appears with the product version, behavior is different in that product edition.

Unless otherwise specified, any statement of optional behavior in this specification that is prescribed using the terms SHOULD or SHOULD NOT implies product behavior in accordance with the SHOULD or SHOULD NOT prescription. Unless otherwise specified, the term MAY implies that the product does not follow the prescription.

<1> Section 1.5: Windows contains a FIPS-140-validated random-number generator, as specified in [FIPS140].

<2> Section 2.2: [RFC4556] message syntax is not supported in Windows 2000, Windows XP, and Windows Server 2003.

<3> Section 2.2: Windows 2000, Windows XP, and Windows Server 2003 sent PA-PK-AS-REP_OLD where [RFC4120] would have them send PA-PK-AS-REQ or PA-PK-AS-REP.

<4> Section 2.2: Supported by Windows 2000, Windows XP SP2, and Windows Server 2003 with SP1. In Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2, the object identifier (OID) has been updated to match CMS algorithms, as specified in [RFC3370] sections 3.2 and 2.2. Windows 2000, Windows XP, Windows XP SP1, and Windows Server 2003 do not accept the correct OID.

<5> Section 2.2: Not supported by Windows 2000, Windows XP, and Windows Server 2003.

<6> Section 2.2: ECC is not supported by Windows 2000, Windows XP, Windows Server 2003, Windows Vista, or Windows Server 2008.

<7> Section 2.2: ECC is not supported by Windows 2000, Windows XP, Windows Server 2003, Windows Vista, or Windows Server 2008.

<8> Section 2.2.1: In Windows 2000, Windows XP SP2, and Windows Server 2003 with SP1, SignedData (as specified in [RFC3852]) is encoded as specified in [RFC2315] section 9, not as specified in [RFC3852] section 5. Therefore, the data is not wrapped in OCTET STRING; rather, it is wrapped in an ANY, as specified in [RFC2315] section 7. However, in Windows Vista, Windows Server 2008, Windows 7, Windows Server 2008 R2, Windows 8 Consumer Preview, and Windows Server 8 Beta, the SignedData (as specified in [RFC3852]) is encoded as specified in [RFC3852]. Windows 2000, Windows XP SP2, Windows Server 2003 with SP1, Windows Vista, Windows Server 2008, Windows 7, Windows Server 2008 R2, Windows 8 Consumer Preview, and Windows Server 8 Beta accept the SignedData, as specified in [RFC3852]. In Windows 2000, Windows XP SP2, and Windows Server 2003 with SP1, the DHRepInfo form is not implemented; the Public Key Encryption style is used, as specified in [RFC4556] section 3.2.3.2. The Diffie-Hellman key delivery method, as specified in [RFC4556] section 3.2.3.1, is supported in Windows Vista, Windows Server 2008, Windows 7, Windows Server 2008 R2, Windows 8 Consumer Preview, and Windows Server 8 Beta.

In Windows 2000, Windows XP SP2, and Windows Server 2003 with SP1, the content-type field of the SignedData in PA-PK-AS-REQ is id-data, as specified in [RFC3852] section 4, instead of id-pkinit-authData. However, in Windows Vista, Windows Server 2008, Windows 7, Windows Server 2008 R2, Windows 8 Consumer Preview, and Windows Server 8 Beta, the content-type field of the SignedData is id-pkinit-authData, as specified in [RFC4556] section 3.2.3.2. Windows 2000, Windows XP SP2, Windows Server 2003 with SP1, Windows Vista, Windows Server 2008, Windows 7, Windows Server 2008 R2, Windows 8 Consumer Preview, and Windows Server 8 Beta accept id-data in the PA-PK-AS-REQ_OLD pre-authentication data.

<9> Section 2.2.1: In Windows 2000, Windows XP SP2, and Windows Server 2003 with SP1, SignedData (as specified in [RFC3852]) is encoded as specified in [RFC2315] section 9, not as specified in [RFC3852] section 5. Therefore, the data is not wrapped in OCTET STRING; rather, it is wrapped in an ANY, as specified in [RFC2315] section 7. However, in Windows Vista, Windows Server 2008, Windows 7, Windows Server 2008 R2, Windows 8 Consumer Preview, and Windows Server 8 Beta, the SignedData (as specified in [RFC3852]) is encoded as specified in [RFC3852]. Windows 2000, Windows XP SP2, Windows Server 2003 with SP1, Windows Vista, Windows Server 2008, Windows 7, Windows Server 2008 R2, Windows 8 Consumer Preview, and Windows Server 8 Beta accept the SignedData, as specified in [RFC3852]. In Windows 2000, Windows XP SP2, and Windows Server 2003 with SP1, the DHRepInfo form is not implemented; the Public Key Encryption style is used, as specified in [RFC4556] section 3.2.3.2. The Diffie-Hellman key delivery method, as specified in [RFC4556] section 3.2.3.1, is supported in Windows Vista, Windows Server 2008, Windows 7, Windows Server 2008 R2, Windows 8 Consumer Preview, and Windows Server 8 Beta.

In Windows 2000, Windows XP SP2, and Windows Server 2003 with SP1, the content-type field of the SignedData in PA-PK-AS-REQ is id-data, as specified in [RFC3852] section 4, instead of id-pkinit-authData. However, in Windows Vista, Windows Server 2008, Windows 7, Windows Server 2008 R2, Windows 8 Consumer Preview, and Windows Server 8 Beta, the content-type field of the SignedData is id-pkinit-authData, as specified in [RFC4556] section 3.2.3.2. Windows 2000, Windows XP SP2, Windows Server 2003 with SP1, Windows Vista, Windows Server 2008, Windows 7, Windows Server 2008 R2, Windows 8 Consumer Preview, and Windows Server 8 Beta accept id-data in the PA-PK-AS-REQ_OLD pre-authentication data.

<10> Section 2.2.2: In Windows 2000, Windows XP SP2, and Windows Server 2003 with SP1, the content-type field of the SignedData type inside the EnvelopedData type in the PA-PK-AS-REP_OLD pre-authentication data is id-data, as specified in [RFC3852] section 4, instead of id-pkinit-rkeyData, as specified in [RFC4556]. However, in Windows Vista, Windows Server 2008, Windows 7, Windows Server 2008 R2, Windows 8 Consumer Preview, and Windows Server 8 Beta, the content-type field is id-pkinit-rkeyData, as specified in [RFC4556]. Windows 2000, Windows XP SP2, Windows Server 2003 with SP1, Windows Vista, Windows Server 2008, Windows 7, Windows Server 2008 R2, Windows 8 Consumer Preview, and Windows Server 8 Beta all accept id-data in the SignedData contained in the PA-PK-AS-REP_OLD pre-authentication data.

In addition, Windows 2000, Windows XP SP2, Windows Server 2003 with SP1, Windows Vista, Windows Server 2008, Windows 7, Windows Server 2008 R2, Windows 8 Consumer Preview, and Windows Server 8 Beta do not process id-pkinit-san in the client's [X509] certificate, if present, as specified in [RFC4556] section 3.2.4.

<11> Section 2.2.3: The PA-PK-AS-REQ message format is not supported in Windows 2000, Windows XP, and Windows Server 2003.

<12> Section 2.2.4: The RFC version of PA-PK-AS-REP is not supported in Windows 2000, Windows XP, and Windows Server 2003.

<13> Section 3.1.5: In Windows with PKCA, the KDC supports both des-ede3-cbc and rc2-cbc. If both des-ede3-cbc and rc2-cbc are present, the KDC uses des-ede3-cbc.

<14> Section 3.1.5.1: In Windows Vista, Windows Server 2008, Windows 7, Windows Server 2008 R2, Windows 8 Consumer Preview, and Windows Server 8 Beta, the PKINIT pre-authentication data identifiers have been updated to match what is specified in [RFC4556], with one addition (KRB5-PADATA-AS-CHECKSUM) as noted below. However, for backward-compatibility reasons, if the client is not detecting that the KDC is running Windows Server 2008, Windows Server 2008 R2, or Windows Server 8 Beta, it sends both.

In Windows Vista, Windows Server 2008, Windows 7, Windows Server 2008 R2, Windows 8 Consumer Preview, and Windows Server 8 Beta, the client sends additional padata (KRB5-PADATA-AS-CHECKSUM) besides what is specified in [RFC4556]. This is padata that contains no data.

#define KRB5_PADATA_AS_CHECKSUM         132 /* AS checksum */

Clients running Windows XP and Windows 2000 also send this additional padata type.

<15> Section 3.1.5.1: Windows 2000, Windows XP, and Windows Server 2003 clients send a PA-PK-AS-REP_OLD pre-authentication data identifier. Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2 clients send a PA-PK-AS-REP_OLD pre-authentication data identifier when all of the following are true:

  • the user certificate has a smart card logon EKU, and

  • the user certificate has a UPN in Subject Alternative Name.

<16> Section 3.1.5.1: Windows 2000 and Windows XP SP2 Kerberos clients can only process PA-PK-AS-REP-WINDOWS-OLD.

<17> Section 3.1.5.1: Computer logon is not supported by Windows 2000, Windows XP, Windows Server 2003, Windows Vista, Windows Server 2008, Windows 7 and Windows Server 2008 R2.

<18> Section 3.1.5.2: Windows 2000 and Windows Server 2003 KDCs always discard the PA-PK-AS-REQ data identifier and process the PA-PK-AS-REP_OLD data identifier, if present.

<19> Section 3.1.5.2: Windows 2000 and Windows Server 2003 KDCs respond with PA-PK-AS-REP_OLD.

<20> Section 3.1.5.2.1: SAN DNSName field is not supported by Windows 2000, Windows Server 2003, Windows Server 2008 and Windows Server 2008 R2.

 
Did you find this helpful?
(1500 characters remaining)