3.3.5.7.3 Domain Local Group Membership

  • Article

msdn link

Groups can be created so that they are only visible to servers in the same domain. For every service ticket that is issued during a TGS request, except for cross-realm TGTs, the KDC MUST populate the PAC with domain local group membership for the user.

For KILE implementations that use Active Directory for the account database, KDCs MUST call the GetResourceDomainInfo procedure ([MS-ADTS] section 3.1.1.13.4) where:

  • InputSids is an array of SIDs that identify the user and also the groups, contained in GroupIds ([MS-PAC] section 2.5), that the user is a member of.

    Note that each SID is calculated as follows:

    • For the user, the SID contains the SID of the user created by concatenating LogonDomainId ([MS-PAC] section 2.5) and UserId ([MS-PAC] section 2.5).

    • For each account domain group, the SID contains the SID of the group created by concatenating LogonDomainId ([MS-PAC] section 2.5) and GroupIds.RelativeID ([MS-PAC] section 2.2.2).

    • For each group in other domains, the SID contains ExtraSids.Sid ([MS-PAC] section 2.2.2).

Then the KDC MUST copy the populated fields from the PAC in the TGT to the newly created PAC and add to the KERB_VALIDATION_INFO structure ([MS-PAC] section 2.5) of the new PAC the domain local groups that are returned by the GetResourceDomainInfo procedure ([MS-ADTS] section 3.1.1.13.4) to the existing fields as follows:

  • If the Resource-SID-compression-disabled bit is not set in the Application Server's service account's KerbSupportedEncryptionTypes and not set in the krbtgt's account's KerbSupportedEncryptionTypes:<69>

    • The ResourceGroupDomainSid field contains the SID for the domain.

    • The ResourceGroupCount field contains the number of groups in the ResourceGroupIds field.

    • The ResourceGroupIds field contains the pointer to a list which is the list copied from the PAC in the TGT plus a list constructed from the domain local groups where:

      • RelativeId ([MS-PAC] section 2.2.2) contains the RID of the value from the ResourceSids parameter ([MS-ADTS] section 3.1.1.13.4).

      • Attributes ([MS-PAC] section 2.2.2) has the A, B, C, and E bits set to 1, and all other bits set to zero.

  • Otherwise:

    • The SidCount field contains the number of groups in the ExtraSids field.

    • The ExtraSids field contains the pointer to a list which is the list copied from the PAC in the TGT plus a list constructed from the domain local groups where:

      • Sid ([MS-PAC] section 2.2.1) contains the value from the ResourceSids parameter ([MS-ADTS] section 3.1.1.13.4).

      • Attributes ([MS-PAC] section 2.2.1) has the A, B, C, and E bits set to 1, and all other bits set to zero.