This topic has not yet been rated - Rate this topic

3.1.5.1.1 Service Sends S4U2self KRB_TGS_REQ

Note: Some of the information in this section is subject to change because it applies to a preliminary implementation of the protocol or structure. For information about specific differences between versions, see the behavior notes that are provided in the Product Behavior appendix.

In the S4U2self request, the user is identified by the user realm and the user name or alternatively, by using the user's certificate if the service has it as specified in sections 3.1.5.1.1.1 and 3.1.5.1.1.2. The user identification for these cases is carried in a PA-FOR-USER padata or a PA-S4U-X509-USER padata, respectively.

The SFU client SHOULD:<7>

When sending the TGS REQ, add a PA-PAC-OPTIONS [167] ([MS-KILE], section 2.2.9) PA-DATA type with the claims bit set in the AS REQ to request claims authorization data.
When receiving the TGS_REP, if the claims bit is set in PA-SUPPORTED-ENCTYPES [165] and not set in PA-PAC-OPTIONS [167], the Kerberos client SHOULD locate a DS_BEHAVIOR_WIN8 DC ([MS-KILE], section 3.1.5.13) and go back to step 1.

Did you find this helpful? Yes No

Not accurate

Not enough depth

Need more code examples

(1500 characters remaining)