3 A

ABNF: See Augmented Backus-Naur Form (ABNF).

abort request: An action that a participant performs to force a transaction to reach an abort outcome.

abstract class: See abstract object class.

abstract object class: An object class whose only function is to be the basis of inheritance by other object classes, thereby simplifying their definition.

Abstract Syntax Notation One (ASN.1): A notation to define complex data types to carry a message, without concern for their binary representation, across a network. ASN.1 defines an encoding to specify the data types with a notation that does not necessarily determine the representation of each value. ASN.1 encoding rules are sets of rules used to transform data that is specified in the ASN.1 language into a standard format that can be decoded on any system that has a decoder based on the same set of rules. ASN.1 and its encoding rules were once part of the same standard. They have since been separated, but it is still common for the terms ASN.1 and Basic Encoding Rules (BER) to be used to mean the same thing, though this is not the case. Different encoding rules can be applied to a given ASN.1 definition. The choice of encoding rules used is an option of the protocol designer.

acceptor: A participant that receives a session or connection request. This role is also known as the "subordinate".

access check: A verification to determine whether a specific access type is allowed by checking a security context against a security descriptor.

access control entry (ACE): An entry in an access control list (ACL) that contains a set of user rights and a security identifier (SID) that identifies a principal for whom the rights are allowed, denied, or audited.

access control list (ACL): A list of access control entries (ACEs) that collectively describe the security protections that apply to an object.

access mask: A 32-bit value present in an access control entry (ACE) that specifies the allowed or denied rights to manipulate an object.

access point: A network access server (NAS) that is implementing 802.11.

access profile: A set of configuration data for a network access server (NAS) to determine the level of service to provide to an endpoint. This configuration data is sent from the RADIUS server to the NAS as a set of RADIUS attributes.

access type: An action defined for access such as "read", "write", "full control", control access right "x", and so on. Used in security descriptors.

account: A user, group, or alias object.

account domain: A domain, identified by a security identifier (SID), that is the SID namespace for which a given machine is authoritative. The account domain is the same as the primary domain for a domain controller (DC) and is its default domain. For a Windows machine that is joined to a domain, the account domain is the SID namespace defined by the local Security Accounts Manager [MS-SAMR].

account domain object (account domain): A domain object that represents an issuing authority in which user objects can be created. For more information about the concept of an issuing authority, see [MS-AUTHSOD] section

account domain security identifier: The security identifier (SID) of the account domain object.

account group: A group object whose members always include the security identifier (SID) of the group in the authorization context.

account object: An element of a Local Security Authority (LSA) policy database that describes the rights and privileges granted by the server to a security principal. The security identifier (SID) of the security principal matches that of the account object.

ACID: A term that refers to the four properties that any database system must achieve in order to be considered transactional: Atomicity, Consistency, Isolation, and Durability [GRAY].

ACE: See access control entry (ACE).

acknowledgment (ACK): A signal passed between communicating processes or computers to signify successful receipt of a transmission as part of a communications protocol.

ACL: See access control list (ACL).

activation: (1) In COM, a local mechanism by which a client provides the CLSID of an object class (3) and obtains an object (3), either an object from that object class or a class factory that is able to create such objects.

(2) In the DCOM protocol, a mechanism by which a client provides the CLSID of an object class (4) and obtains an object (4), either from that object class or a class factory that is able to create such objects. For more information, see [MS-DCOM].

Active Directory: A general-purpose network directory service.

Active Directory also refers to the Windows implementation of a directory service. Active Directory stores information about a variety of objects in the network. Importantly, user accounts, computer accounts, groups, and all related credential information used by the Windows implementation of Kerberos are stored in Active Directory. Active DirectoryLightweight Directory Access Protocol (LDAP) versions 2 and 3, Kerberos, and DNS. For more information, see [MS-AUTHSOD] section and [MS-ADTS].

Active Directory domain: A domain hosted on Active Directory. For more information, see [MS-ADTS].

Active Directory Domain Services (AD DS): See Active Directory. Active Directory Domain Services (AD DS) replaces the term "Active Directory" in Windows Server 2008.

Active Directory Federation Services (AD FS): A Microsoft implementation of a federation services provider. AD FS provides a security token service (STS) that can issue security tokens to a caller using various protocols such as WS-Trust, WS-Federation, and Security Assertion Markup Language (SAML) version 2.0.

Active Directory Lightweight Directory Services (AD LDS): A directory service that is implemented by a domain controller (DC). For more information on AD LDS, see [MS-ADTS].

Active Directory object: A set of directory objects that are used within Active Directory as defined in [MS-ADTS] section 3.1.1. An Active Directory object can be identified by a dsname. See also directory object.

Active Directory partition: A synonym for naming context (NC) replica.

Active Directory replication: The process by which the changes that are made to Active Directory objects on one domain controller (DC) are automatically synchronized with other DCs.

Active Directory schema: The Microsoft Active Directory schema contains formal definitions of every object class that can be created in an Active Directoryforest. The schema also contains formal definitions of every attribute that can exist in an Active Directory object.

Active Directory table (ADT): A database of domain information, as specified in [MS-ADTS].

active node: A node that is currently successfully executing the implementation-specific server-to-server protocols that constitute participation in a cluster.

active partition: A partition on a master boot record (MBR) disk that becomes the system partition at system startup if the BIOS is configured to select that disk for boot. An MBR disk can have exactly one active partition. This attribute is stored within the partition table on the disk.

active volume: See active partition.

AD: See Active Directory.

AD DS: See Active Directory Domain Services (AD DS).

AD LDS: See Active Directory Lightweight Directory Services (AD LDS).

AddRef: The process of calling the second IUnknown method (IUnknown::ADDref()) on an object. For more information, see [MS-DCOM].

administrative plug-in GUID: See tool extension GUID.

administrative template: A file associated with a Group Policy Object (GPO) that combines information on the syntax of registry-based policy settings with human-readable descriptions of the settings, as well as other information.

Administrative tool: An implementation-specific tool, such as the Group Policy Management Console, that allows administrators to read and write policy settings from and to a Group Policy Object (GPO) and policy files. The Group Policy Administrative tool uses the Extension list of a GPO to determine which Administrative tool extensions are required to read settings from and write settings to the logical and physical components of a GPO.

Administrative tool extension: A Group Policy extension protocol that is identified by an Administrative tool extension GUID and invoked by a management entity such as the Group Policy Management Console. The Administrative tool extension enables the Group Policy administrator to administer policy settings associated with the specific context provided by the extension.

Administrative tool extension GUID: A GUID that enables a specific Administrative tool extension to be associated with settings that are stored in a GPO on the Group Policy server for that particular extension. The GUID enables the Administrative tool to identify the extension protocol for which settings are to be administered.

administrator: A user who has complete and unrestricted access to the computer or domain.

administrator in Admin Approval Mode or Consent Admin: A user mode in which administrators are prompted for permission before allowing an administrative task to be performed. Also referred to as a "Consent Admin".

administrators: An alias object with the security identifier (SID) S-1-5-32-544.

Advanced Encryption Standard (AES): A block cipher that supersedes the Data Encryption Standard (DES). AES is used in symmetric-key cryptography and is also known as the Rijndael symmetric encryption algorithm.

Advanced Systems Format (ASF): The file format used by Windows Media.

advertise: To publish descriptive identifying information in a name service.

advertised: An installation state of an application on a client computer. An advertised application is one that does not have all of the binaries and files necessary for executing the application present on the computer, but does have metadata on the client that allows it to present the application to the user as if all the files were present and also allows the client to install all of the missing files at a later time.

alias object: See resource group.

allocation unit size: The size (expressed in bytes) of the units used by the file system to allocate space on a disk for the file system used by the volume. The size, in bytes, must be a power of two and must be a multiple of the size of the sectors on the disk. Typical allocation unit sizes of most file systems range from 512 bytes to 64 KB.

alternate stream: See named stream.

ambiguous name resolution (ANR): A search algorithm that permits a client to search multiple naming-related attributes on objects by way of a single clause of the form "(anr=value)" in a Lightweight Directory Access Protocol (LDAP) search filter. This permits a client to query for an object when the client possesses some identifying material related to the object but does not know which attribute of the object contains that identifying material.

American National Standards Institute (ANSI) character set: A character set defined by a code page approved by the American National Standards Institute (ANSI).

The term "ANSI" as used to signify Windows code pages is a historical reference and a misnomer that persists in the Windows community. The source of this misnomer stems from the fact that the Windows code page 1252 was originally based on an ANSI draft, which became International Organization for Standardization (ISO) Standard 8859-1 [ISO/IEC-8859-1]. In Windows, the ANSI character set can be any of the following code pages: 1252, 1250, 1251, 1253, 1254, 1255, 1256, 1257, 1258, 874, 932, 936, 949, or 950.

For example, "ANSI application" is usually a reference to a non-Unicode or code-page-based application. Therefore, "ANSI character set" is often misused to refer to one of the character sets defined by a Windows code page that can be used as an active system code page; for example, character sets defined by code page 1252 or character sets defined by code page 950. Windows is now based on Unicode, so the use of ANSI character sets is strongly discouraged unless they are used to interoperate with legacy applications or legacy data.

ancestor object: An objectA is an ancestor of objectO if there is a directed path from A to O (in other words, A is on the path from O to the root of the tree containing O).

anonymous authentication: An authentication mode in which neither party verifies the identity of the other party.

anonymous session: A session created for an anonymous user.

anonymous user: A user who presents no credentials when identifying himself or herself. The process for determining an anonymous user can differ based on the authentication protocol, and the documentation for the relevant authentication protocol should be consulted.

anywhere access gateway: A network access server (NAS) that provides remote connectivity to a network.

AP exchange: See Authentication Protocol (AP) exchange.

application: A participant that is responsible for beginning, propagating, and completing an atomic transaction. An application communicates with a transaction manager in order to begin and complete transactions. An application communicates with a transaction manager in order to marshal transactions to and from other applications. An application also communicates in application-specific ways with a resource manager in order to submit requests for work on resources.

application advertise script: A file that contains a sequence of installation operations and configuration data for installing an application on a client machine. The installer follows the installation operations in the file and configures the metadata of the application to match the state information specified in the script.

application configuration file (ACF): A supplemental file that accompanies an Interface Definition Language (IDL) specification and is used to specify stub processing rules. For more information, see "The Attribute Configuration Source" in Part 2 of [C706] and [MS-RPCE].

Application Desktop Toolbar: A window (anchored to an edge of the screen) that is similar to the taskbar and that typically contains buttons that give the user quick access to other applications and windows.

application directory partition: An application NC.

application domain: A virtual process space within which managed code applications are hosted and executed.  It is possible to have multiple managed code applications running inside a single process. Each managed code application runs within its own application domain and is isolated from other applications that are running in separate application domains.

application domain identifier (ID): A number used to uniquely identify an application domain.

application NC: A specific type of naming context (NC), or an instance of that type, that supports only full replicas (no partial replicas). An application NC cannot contain security principal objects. An application NC can contain dynamic objects. A forest can have zero or more application NCs. Application NCs do not appear in the global catalog (GC). The root of a domain NC is an object of classdomainDns.

application protocol: A network protocol that visibly accomplishes the task that the user or other agent wants to perform. This is distinguished from all manner of support protocols: from Ethernet or IP at the bottom to security and routing protocols. While necessary, these are not always visible to the user. Application protocols include, for instance, HTTP and Server Message Block (SMB).

ASCII: The American Standard Code for Information Interchange (ASCII) is an 8-bit character-encoding scheme based on the English alphabet. ASCII codes represent text in computers, communications equipment, and other devices that work with text. ASCII refers to a single 8-bit ASCII character or an array of 8-bit ASCII characters with the high bit of each character set to zero.

AS exchange: See Authentication Service (AS) exchange.

ASN.1: Abstract Syntax Notation One. ASN.1 is used to describe Kerberos datagrams as a sequence of components, sent in messages. ASN.1 is described in the following specifications: [ITUX660] for general procedures; [ITUX680] for syntax specification, and [ITUX690] for the Basic Encoding Rules (BER), Canonical Encoding Rules (CER), and Distinguished Encoding Rules (DER) encoding rules.

Note  There is a charge to download these documents.

assigned application: An application that is to be installed at computer startup or user logon.

atomic transaction: A shared activity that provides mechanisms for achieving the atomicity, consistency, isolation, and durability (ACID) properties when state changes occur inside participating resource managers.

attestation: A process of establishing some property of a computer platform or of a Trusted Platform Module (TPM) key, in part through TPM cryptographic operations.

Attestation Identity Key (AIK): An asymmetric (public/private) key pair that can substitute for the Endorsement Key (EK) as an identity for the Trusted Platform Module (TPM). The private portion of an AIK can never be revealed or used outside the TPM and can only be used inside the TPM for a limited set of operations. Furthermore, it can only be used for signing, and only for limited, TPM-defined operations.

attribute: (1) A characteristic of some object or entity, typically encoded as a name-value pair.

(2) (A specialization of the previous definition.) An identifier for a single or multivalued data element that is associated with a directory object. An object consists of its attributes and their values. For example, cn (common name), street (street address), and mail (email addresses) can all be attributes of a user object. An attribute's schema, including the syntax of its values, is defined in an attributeSchema object.

attribute syntax: Specifies the format and range of permissible values of an attribute. The syntax of an attribute is defined by several attributes on the attributeSchema object. Attribute syntaxes supported by Active Directory include Boolean, Enumeration, Integer, LargeInteger, String(UTC-Time), Object(DS-DN), and String(Unicode).

AttributeId: An OID-valued attribute of each attributeSchema object in the schema naming context (schema NC). In many Lightweight Directory Access Protocol (LDAP) directory implementations, this OID value (although not necessarily referred to as the attributeId) is the standard internal representation of an attribute. In the directory model used in [MS-ADTS], however, an attribute is represented by the more familiar LDAP display name (stored as the ldapDisplayName attribute on the corresponding attributeSchema object).

AttributeStamp: The type of a stamp attached to an attribute.

Augmented Backus-Naur Form (ABNF): A modified version of Backus-Naur Form (BNF), commonly used by Internet specifications. ABNF notation balances compactness and simplicity with reasonable representational power. ABNF differs from standard BNF in its definitions and uses of naming rules, repetition, alternatives, order-independence, and value ranges. For more information, see [RFC5234].

Authenticated IP (AuthIP): An Internet Key Exchange (IKE) protocol extension, as specified in [MS-AIPS].

authenticated users: A built-in security group specified in [MS-AUTHSOD] whose members include all users that can be authenticated by a computer.

authentication: (1) The ability of one entity to determine the identity of another entity.

(2) The act of proving an identity to a server while providing key material that binds the identity to subsequent communications.

authentication header (AH): An Internet Protocol Security (IPsec) encapsulation mode that provides authentication and message integrity. For more information, see [RFC4302] section 1.

authentication level: A numeric value indicating the level of authentication or message protection that remote procedure call (RPC) will apply to a specific message exchange. For more information, see [C706] section and [MS-RPCE].

authentication mode: One of several modes in which an authentication exchange may be performed.

Authentication Protocol (AP) exchange: The Kerberos subprotocol called the "authentication protocol", sometimes referred to as the "Client/Server Authentication Exchange", in which the client presents a service ticket and an authenticator to a service to establish an authenticated communication session with the service. The protocol is specified in [RFC4120] section 3.2.

authentication server: An entity that provides authentication services to authenticators so that these services do not have to be implemented by the authenticators.

Authentication Service (AS): A service that issues ticket granting tickets (TGTs), which are used for authenticating principals within the realm or domain served by the Authentication Service.

Authentication Service (AS) exchange: The Kerberos subprotocol in which the Authentication Service component of the key distribution center (KDC) accepts an initial logon or authentication request from a client and provides the client with a ticket granting ticket (TGT) and necessary cryptographic keys to make use of the ticket. This is specified in [RFC4120] section 3.1. The AS exchange is always initiated by the client, usually in response to the initial logon of a principal such as a user.

authentication type: A numeric identifier that uniquely identifies a security provider.

authenticator: (1) The entity requesting the authentication of a peer.

(2) A protocol message or data structure within a message that carries authentication information.

(3) When used in reference to the Netlogon Protocol, the data stored in the NETLOGON_AUTHENTICATOR structure.

(4) When used in reference to Kerberos, see Kerberos authenticator.

AuthIP: See Authenticated IP (AuthIP).

authorization: The secure computation of roles and accesses granted to an identity.

authorization context: The set of identities for groups and the identity of the user made available to a server for the purpose of determining authorization to a resource.

authorization data: An extensible field within a Kerberosticket, used to pass authorization data about the principal on whose behalf the ticket was issued to the application service.

auxiliary class: See auxiliary object class.

auxiliary object class: An object class that cannot be instantiated in the directory but can be either added to, or removed from, an existing object to make its attributes available for use on that object; or associated with an abstract or structural object class to add its attributes to that abstract or structural object class.

AV pair: An attribute/value pair. The name of some attribute, along with its value. AV pairs in NTLM have a structure specifying the encoding of the information stored in them.