Request Flags Details

Kerberos V5 specifies Kerberos ticket-issuing behavior defined by a set of options that are passed to the KDC during the AS exchange or TGS exchange.

Clients SHOULD set the canonicalize flag ([RFC4120] section 5.4.1, and [Referrals-11] section 3). For non-KILE realms, if RealmCanonicalize is not set for the realm, the client SHOULD NOT set the canonicalize flag ([RFC4120] section 5.4.1).

The client SHOULD NOT set the PROXY or PROXIABLE option ([RFC4120] section 2.5).

If Delegate is set to TRUE, the client SHOULD set the FORWARDABLE option in the TGS request. When the client receives a forwardable ticket, it puts the ticket in a KRB_CRED structure ([RFC4120] section 3.6). The client SHOULD NOT forward the ticket unless the TGT is marked OK-AS-DELEGATE ([RFC4120] section 2.8).

If MutualAuthentication is set to TRUE, the client SHOULD set the MUTUAL-REQUIRED flag in the KRB_AP_REQ message ([RFC4120] sections 3.2.2 and 3.2.4).

If the Kerberos client does not have network access to the KDC and KKDCP is supported, the Kerberos client SHOULD call ProxyMessage() ([MS-KKDCP] section where:

  • kerb-message contains the KRB_AS_REQ or KRB_TGS_REQ message.

  • target-domain contains the realm field of the KRB_AS_REQ or KRB_TGS_REQ message ([RFC4120] section 5.4.1).

  • dclocator-hint is the Flags parameter ([MS-NRPC] section the client used to find a domain controller for the Kerberos message to determine that a KDC was not accessible.

If Output_kerb_message is returned, then process the KRB_AS_REP, KRB_TGS_REP, or KRB_ERROR message contained in Output_kerb_message.kerb-message. Otherwise, the Kerberos client SHOULD fail.