Export (0) Print
Expand All

3.2.5.8 AP Exchange

If UseSessionKey is set to TRUE, the client SHOULD set the USE-SESSION-KEY flag to TRUE in the ap-options field of the AP-REQ ([RFC4120] section 5.5.1).

When the server name is not Krbtgt, the client SHOULD send an AP request as an authorization data field ([RFC4120] section 5.2.6), initialized as follows:

  • ad-type KERB-LOCAL (142) and ad-data containing KERB-LOCAL structure (section 2.2.3).

  • KERB_AUTH_DATA_TOKEN_RESTRICTIONS (141), containing the KERB-AD-RESTRICTION-ENTRY structure (section 2.2.5).<37>

If ChannelBinding is set to TRUE, the client SHOULD send AD-AUTH-DATA-AP-OPTIONS data in an AD-IF-RELEVANT element ([RFC4120] section 5.2.6.1). The Authorization Data Type AD-AUTH-DATA-AP-OPTIONS has an ad-type of 143 and ad-data of KERB_AP_OPTIONS_CBT (0x4000). The presence of this element indicates that the client expects the applications running on it to include channel binding information ([RFC2743] section 1.1.6 and [RFC2744]) in AP requests whenever Kerberos authentication takes place over an "outer channel" such as TLS. Channel binding is provided using the ChannelBinding variable specified in section 3.2.1.

When the client receives a KRB_AP_ERR_SKEW error ([RFC4120] section 3.2.3) with a KERB-ERROR-DATA structure (section 2.2.1) in the e-data field of the KRB-ERROR message ([RFC4120] section 5.9.1), the client SHOULD retry the AP-REQ using the time in the KRB-ERROR message ([RFC4120] section 5.9.1) to create the authenticator ([RFC4120] section 5.5.1).

 
Show:
© 2015 Microsoft