Export (0) Print
Expand All

3.2.5.7 TGS Exchange

When the server name is not Krbtgt, the client SHOULD send an authorization data field ([RFC4120] section 5.2.6) with ad-type KERB-LOCAL (142) and ad-data containing KERB-LOCAL structure (section 2.2.3) in an AD-IF-RELEVANT element ([RFC4120] section 5.2.6.1) in the enc-authorization-data field ([RFC4120] section 5.2.6).<33>

The Kerberos client SHOULD add a PA-PAC-OPTIONS [167] (section 2.2.9) PA-DATA type with the Branch Aware bit set to the TGS REQ. If a server principal unknown with a substatus of NTSTATUS STATUS_NO_SECRETS message ([MS-ERREF] section 2.3.1) is returned, the client SHOULD send an AS-REQ adding a PA-PAC-OPTIONS [167] (section 2.2.9) PA-DATA type, with the Forward to Full DC bit set, to a full DC, and then send a new TGS_REQ using this TGT to the full DC.

If EnableCBACandArmor is TRUE, the Kerberos client SHOULD add a PA-PAC-OPTIONS [167] (section 2.2.9) PA-DATA type with the Claims bit set in the TGS REQ to notify the KDC that the client is claims aware.<34>

If EnableCBACandArmor is TRUE, the Kerberos client SHOULD use FAST [RFC6113] when the realm supports FAST (section 3.2.5.4).<35>

If EnableCBACandArmor is TRUE and the application server's realm TGT's PA-SUPPORTED-ENCTYPES Compound Identity bit is set, the Kerberos client SHOULD send a compound identity TGS-REQ by using FAST with explicit armoring, using the computer's TGT.<36>

 
Show:
© 2014 Microsoft