3.2.1 Abstract Data Model

To support all functionality of SFU, the account database MUST be extended to support the following additional information for each principal:

DelegationNotAllowed: A Boolean setting to prevent PROXIABLE or FORWARDABLE ticket flags ([RFC4120] sections 2.5 and 2.6) in tickets for the principal. KILE implementations that use an Active Directory for the account database SHOULD use the userAccountControl attribute ([MS-ADTS] section 2.2.16) ND flag. The default is FALSE.

ServicesAllowedToReceiveForwardedTicketsFrom: A SECURITY_DESCRIPTOR ([MS-DTYP] section 2.4.6) which specifies from which services a service will accept forwarded service tickets. SFU implementations that use an Active Directory for the configuration database SHOULD use the msDS-AllowedToActOnBehalfOfOtherIdentity attribute ([MS-ADA2] section 2.210).<17>

ServicesAllowedToSendForwardedTicketsTo: A list of services to which a service will be allowed to forward tickets to support constrained delegation. SFU implementations that use an Active Directory for the configuration database SHOULD use the msDS-AllowedToDelegateTo attribute ([MS-ADA2] section 2.211).

TrustedToAuthenticationForDelegation: A Boolean setting to control whether the KDC sets the FORWARDABLE ticket flag ([RFC4120] section 2.6) in S4U2self service tickets for principals for the service. SFU implementations that use an Active Directory for the account database SHOULD use the userAccountControl attribute ([MS-ADTS] section 2.2.16) TA flag. The default is FALSE.

Show: