3.3.5.6 AS Exchange

  • Article

Kerberos V5 specifies the AS exchange ([RFC4120] section 3.1). KILE also supports extensions to the AS exchange specified in [Referrals-11], [RFC5349], [RFC4556], and [MS-PKCA].

If Pre-AuthenticationNotRequired is set to TRUE on the principal, the KDC MUST issue a TGT without validating pre-authentication data ([RFC4120] section 7.5.2) provided.

If DES is used for pre-authentication, the KDC MUST:<50>

  • If UseDESOnly is not set: the KDC MUST return KDC_ERR_ETYPE_NOTSUPP.

  • Otherwise, if the account is:

    • krbtgt: the KDC MUST return KDC_ERR_ETYPE_NOTSUPP.

    • The computer account of a KDC: the KDC MUST return KDC_ERR_ETYPE_NOTSUPP.

The KDC SHOULD<51> return in the encrypted part of the AS-REP message a PA-DATA structure with padata-type set to PA-SUPPORTED-ENCTYPES [165] (section 2.2.8), to indicate what encryption types (section 2.2.7) are supported by the KDC, and whether Claims or FAST are supported.<52>

If domainControllerFunctionality returns a value >= 6 ([MS-ADTS] section 3.1.1.3.2.25), the KDC MUST check whether the account is a member of PROTECTED_USERS ([MS-DTYP] section 2.4.2.4). If it is a member of PROTECTED_USERS, then:<53>

  • If pre-authentication used DES or RC4, the KDC MUST return KDC_ERR_ETYPE_NOTSUPP.

  • MaxRenewAge (section 3.3.1) for the TGT is 4 hours unless specified by policy.

  • MaxTicketAge (section 3.3.1) for the TGT is 4 hours unless specified by policy.

If domainControllerFunctionality returns a value >= 6, the KDC MUST determine whether an Authentication Policy is applied to the account (section 3.3.5.5). If Enforced is TRUE, then:<54>

  • If TGTLifetime is not 0: MaxRenewAge for the TGT is TGTLifetime.

  • If TGTLifetime is not 0: MaxTicketAge for the TGT is TGTLifetime.

  • If AllowedToAuthenticateFrom is not NULL, the PAC of the armor TGT MUST be used to perform an access check for the ACTRL_DS_CONTROL_ACCESS right against the AllowedToAuthenticateFrom. If the access check fails, the KDC MUST return KDC_ERR_POLICY, as specified in [RFC4120] section 7.5.9.

The KDC checks whether the domainControllerFunctionality ([MS-ADTS] section 3.1.1.3.2.25) returns a value:

  • < 3: the KDC, in the encrypted pre-auth data part ([Referrals-11], Appendix A) of the AS-REP message, includes a PA-DATA structure with padata-type set to PA-SUPPORTED-ENCTYPES [165], and padata-value is set to 0x7 (section 2.2.7).

  • >= 3: the KDC, in the encrypted pre-auth data part of the AS-REP message, includes a PA-DATA structure with padata-type set to PA-SUPPORTED-ENCTYPES [165], and padata-value is set to 0x1F (section 2.2.7).