Export (0) Print
Expand All

3.2.5.5 AS Exchange

The Kerberos V5 protocol specifies the AS exchange ([RFC4120] section 3.1). KILE also supports extensions to the AS exchange as specified in [Referrals-11], [RFC5349], [RFC4556], and [MS-PKCA].

The client will always include a PAC request PA-data type when generating an AS-REQ message. The PAC is specified in [MS-PAC].

If EnableCBACandArmor is TRUE, the client SHOULD<30> behave as follows:

  1. When sending the AS REQ, add a PA-PAC-OPTIONS [167] (section 2.2.9) PA-DATA type with the Claims bit set in the AS REQ to request claims authorization data.

  2. When receiving the AS_REP, if the Claims bit is set in PA-SUPPORTED-ENCTYPES [165], and not set in PA-PAC-OPTIONS [167], the client SHOULD locate a DS_BEHAVIOR_WIN2012 DC (section 3.2.5.3) and go back to step 1.

If EnableCBACandArmor is TRUE, the principal is not the computer account, and the client is running on a domain-joined computer, the Kerberos client SHOULD use FAST [RFC6113] when the principal’s Realm supports FAST (section 3.2.5.4).<31>

 
Show:
© 2015 Microsoft