Export (0) Print
Expand All

3.3.5.6.3.6 PAC_CLIENT_CLAIMS_INFO Structure

If ClaimsCompIdFASTSupport is set to:

  • 0: The KDC SHOULD NOT insert into the returned PAC a PAC_CLIENT_CLAIMS_INFO structure ([MS-PAC] section 2.11).

  • 1: If a PA-PAC-OPTIONS [167] (section 2.2.9) PA-DATA type with the Claims bit set is in the AS REQ, the KDC SHOULD behave as noted in the next step, "2 or 3". Otherwise, the KDC SHOULD NOT provide a PAC_CLIENT_CLAIMS_INFO structure ([MS-PAC], section 2.11).

  • 2 or 3: The KDC SHOULD<55>

    • Add the CLAIMS_VALID SID ([MS-DTYP] section 2.4.2.4) to KERB_VALIDATION_INFO.ExtraSids.

    • Increment SidCount.

    • Add a PAC_CLIENT_CLAIMS_INFO structure as follows:

      For KILE implementations that use an Active Directory for the account database, KDCs SHOULD retrieve the claims from the local directory service instance with the same processing rules as defined in GetClaimsForPrincipal() ([MS-ADTS] section 3.1.1.11.2.1) message processing. The KDC populates the returned PAC_CLIENT_CLAIMS_INFO structure fields as follows:

      • The Claims field SHOULD be set to the ClaimsBlob.

 
Show:
© 2014 Microsoft