2.1.4.1 Kerberos Protocols
Figure 13: Relationships between Kerberos protocol and Microsoft extensions
The Kerberos Protocol Extensions [MS-KILE]:
Specifies Microsoft extensions to [RFC4120] and [RFC3961] and clarifies behavior that is implementation specific.
Extends the GSS-API RFCs with two new APIs.
Extends [RFC4120] with:
New pre-authentication data using the RFC's extensibility point.
New elements using the RFC's optional authorization data elements.
New KRB-ERROR clock skew data.
Support for the use of Active Directory as the Kerberos account database.
Processing rules for Windows authorization data [MS-PAC].
Public Key Cryptography for Initial Authentication [MS-PKCA] specifies Microsoft extensions to [RFC4556] and [RFC5349], and normatively documents behavior from an earlier draft of [RFC4556].
Kerberos Protocol Extensions: Service for User and Constrained Delegation Protocol Specification [MS-SFU] extends [RFC4120] with support for:
Service-for-User-to-Self.
Service-for-User-to-Proxy.
Tracking services that have been delegated, by adding new structures in the PAC.
The Privilege Attribute Certificate Data Structure [MS-PAC] extends [RFC4120] by providing a mechanism to convey authorization information by encapsulating this information within an AuthorizationData structure ([RFC4120] section 5.2.6).