Was this page helpful?
Your feedback about this content is important. Let us know what you think.
Additional feedback?
1500 characters remaining
Export (0) Print
Expand All

3.2.5.5 AS Exchange

The Kerberos V5 protocol specifies the AS exchange ([RFC4120] section 3.1). KILE also supports extensions to the AS exchange as specified in [Referrals-11], [RFC5349], [RFC4556], and [MS-PKCA].

The client will always include a PAC request PA-data type when generating an AS-REQ message. The PAC is specified in [MS-PAC].

If EnableCBACandArmor is TRUE, the client SHOULD<29> behave as follows:

  1. When sending the AS REQ, add a PA-PAC-OPTIONS [167] (section 2.2.10) PA-DATA type with the Claims bit set in the AS REQ to request claims authorization data.

  2. When receiving the AS_REP, if the Claims bit is set in PA-SUPPORTED-ENCTYPES [165], and not set in PA-PAC-OPTIONS [167], the client SHOULD locate a DS_BEHAVIOR_WIN2012 DC (section 3.2.5.3) and go back to step 1.

If EnableCBACandArmor is TRUE, the principal is not the computer account, and the client is running on a domain-joined computer, the Kerberos client SHOULD use FAST [RFC6113] when the principal’s Realm supports FAST (section 3.2.5.4).<30>

Show:
© 2015 Microsoft