Export (0) Print
Expand All

3.2.5.4 Using FAST When the Realm Supports FAST

In addition to the RFC behavior ([RFC6113]), the Kerberos client SHOULD use the PA-SUPPORTED-ENCTYPES from the TGT obtained from a realm to determine if a realm supports FAST.<29>

  1. If the client does not have a TGT for the realm and is creating an:

    • AS-REQ: the client SHOULD obtain a TGT for the computer principal from the user principal's domain.

    • TGS-REQ: the client SHOULD obtain a referral TGT for the user principal for the target domain.

    • Compound identity TGS-REQ: the client SHOULD obtain a user principal TGT and computer principal TGT for the target domain with the same key version numbers (section 3.1.5.8).

    If a TGT for the required principals cannot be obtained and RequireFAST is:

    • TRUE: the client SHOULD fail the request.

    • FALSE: the client SHOULD continue without FAST.

  2. When processing the AS_REP or TGS_REP, if the FAST-supported bit in the in PA-SUPPORTED-ENCTYPES of the TGT received in step 1 is:

    • Not set and RequireFAST is TRUE: the client SHOULD fail the request.

    • Not set and RequireFAST is FALSE: the client SHOULD continue without FAST.

    • Set: the client SHOULD find a DC that supports FAST and use FAST:

      Locate a DS_BEHAVIOR_WIN2012 DC (section 3.2.5.3). If a DS_BEHAVIOR_WIN2012 DC is not found and RequireFAST is:

      • TRUE: the client SHOULD fail the request.

      • FALSE: the client SHOULD continue without FAST.

        If a DS_BEHAVIOR_WIN2012 DC is found, the client SHOULD use the TGT obtained in step 1 to armor the message it is creating ([RFC6113], sections 5.4.2, 5.4.3 and 5.4.4) to the DS_BEHAVIOR_WIN2012 DC. If the request fails without an authenticated Kerberos error message ([RFC6113], section 5.4.4) and RequireFAST is TRUE, then the client SHOULD fail the request.

 
Show:
© 2014 Microsoft