Was this page helpful?
Additional feedback?
1500 characters remaining
Export (0) Print
Expand All

3.3.1 Abstract Data Model

KILE uses the abstract data model and default values specified in Kerberos V5, except for the following default configuration values:

  • Minimum lifetime ([RFC4120] section 8.2): 0 minutes.

  • MaxRenewAge: A 64-bit signed integer containing the maximum renewable lifetime ([RFC4120] section 8.2). KILE implementations, which use the LSAD for the configuration database, SHOULD directly access the MaxRenewAge field in the Kerberos Policy Information ([MS-LSAD] section 3.1.1.1).

  • MaxClockSkew: A 64-bit signed integer containing the Acceptable clock skew ([RFC4120] section 8.2). KILE implementations, which use the LSAD for the configuration database, SHOULD directly access the MaxClockSkew field in the Kerberos Policy Information ([MS-LSAD] section 3.1.1.1).

The maximum ticket lifetime ([RFC4120] section 8.2) is configured separately for TGTs and service tickets:

  • MaxServiceTicketAge: A 64-bit signed integer containing the maximum service ticket lifetime. KILE implementations, which use the LSAD for the configuration database, SHOULD directly access the MaxServiceTicketAge field in the Kerberos Policy Information ([MS-LSAD] section 3.1.1.1). The default is 10 hours.

  • MaxTicketAge: A 64-bit signed integer containing the maximum TGT lifetime. KILE implementations, which use the LSAD for the configuration database, SHOULD directly access the MaxTicketAge field in the Kerberos Policy Information ([MS-LSAD] section 3.1.1.1). The default is 10 hours.

KILE also adds the following new KDC configuration setting:

  • AuthenticationOptions: A 32-bit unsigned integer  containing the POLICY_KERBEROS_VALIDATE_CLIENT flag. KILE implementations, which use the LSAD for the configuration database, SHOULD directly access the AuthenticationOptions field in the Kerberos Policy Information ([MS-LSAD] section 3.1.1.1). Only the POLICY_KERBEROS_VALIDATE_CLIENT flag is supported and SHOULD be set by default.

The KDC configuration setting is a registry key, ClaimsCompIdFASTSupport. This is a 32-bit unsigned integer, used as follows:<38>

  • If set to 0, there are no new behaviors.

  • If set to 1, the KDC supports claims, compound identity, and FAST and other KDCs in the domain do not.

  • If set to 2, all KDCs in the domain support claims, compound identity, and FAST.

  • If set to 3, all KDCs in the domain support claims and compound identity and enforce FAST.

Implementations that use the Windows registry to persistently store and retrieve this variable SHOULD use the following:

  • RegistryValueName: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\KDC\Parameters

  • RegistryValueType: 4

  • RegistryValue: CbacAndArmorLevel

The implementation SHOULD also expose the key and value at the specified registry path using the Windows Remote Registry Protocol ([MS-RRP]). For each abstract data model element that is loaded from the registry, there is one instance that is shared between the Windows Remote Registry Protocol and any protocols that use the abstract data model element. Any changes made to the registry keys will be reflected in the abstract data model elements when a PolicyChange event is received ([MS-GPOD] section 2.8.2) or on KDC start up.

KILE implementations that use an Active Directory for the account database SHOULD support the following variables:

  • NetbiosServerName: The NetBIOS name for the server. This Abstract Data Model element is shared with ComputerName.NetBIOS ([MS-WKST] section 3.2.1.2).

  • NetbiosDomainName: The NetBIOS domain name for the domain to which the server belongs. This Abstract Data Model element is shared with DomainName.NetBIOS ([MS-WKST] section 3.2.1.6).

  • DomainSid: A security identifier (SID) for the domain. This Abstract Data Model element is shared with DomainSid ([MS-WKST] section 3.2.1.6).

Show:
© 2016 Microsoft