Export (0) Print
Expand All

3.3.5.7.3 Domain Local Group Membership

Groups can be created so that they are only visible to servers in the same domain. For every service ticket that is issued during a TGS request, except for cross-realm TGTs, the KDC MUST populate the PAC with domain local group membership for the user.

For KILE implementations that use an Active Directory for the account database, KDCs MUST call IDL_DRSGetMemberships ([MS-DRSR] section 4.1.8) where:

  • dwInVersion is 1.

  • pmsgIn.cDsNames is the count of items in the ppDsNames array.

  • pmsgIn.ppDsNames is an array of DSNAME structures ([MS-DRSR] section 5.50) that identify the user and also the groups, contained in GroupIds ([MS-PAC] section 2.5), that the user is a member of. For each DSNAME, Sid is set to a SID (see the following list), SidLen is set to the length of the SID, and the other fields are set to NULL.

    Note that each Sid field is calculated as follows:

    • For the user, Sid contains the SID of the user created by concatenating LogonDomainId ([MS-PAC] section 2.5) and UserId ([MS-PAC] section 2.5).

    • For each account domain group, Sid contains the SID of the group created by concatenating LogonDomainId ([MS-PAC] section 2.5) and GroupIds.RelativeID ([MS-PAC] section 2.2.2).

    • For each group in other domains, Sid contains ExtraSids.Sid ([MS-PAC] section 2.2.2).

  • pmsgIn.dwFlags is 0.

  • pmsgIn.OperationType is set to RevMembGetResourceGroups.

  • pmsgIn.pLimitingDomain is set to NULL.

Then the KDC MUST copy the populated fields from the PAC in the TGT to the newly created PAC and add to the KERB_VALIDATION_INFO structure ([MS-PAC] section 2.5) of the new PAC the domain local groups that are returned by IDL_DRSGetMemberships ([MS-DRSR] section 4.1.8) to the existing fields as follows:

  • If the Resource-SID-compression-disabled bit is NOT set in the Application Server's service account's KerbSupportedEncryptionTypes and NOT set in the krbtgt's account's KerbSupportedEncryptionTypes:<66>

    • The ResourceGroupDomainSid field contains the SID for the domain.

    • The ResourceGroupCount field contains the number of groups in the ResourceGroupIds field.

    • The ResourceGroupIds field contains the pointer to a list which is the list copied from the PAC in the TGT plus a list constructed from the domain local groups where:

      • RelativeId ([MS-PAC] section 2.2.2) contains the RID of the value pmsgOut.ppDsNames.Sid ([MS-DRSR] section 5.50).

      • Attributes ([MS-PAC] section 2.2.2) has the A, B, C and E bits set to 1, and all other bits set to zero.

  • Otherwise:

    • The SidCount field contains the number of groups in the ExtraSids field.

    • The ExtraSids field contains the pointer to a list which is the list copied from the PAC in the TGT plus a list constructed from the domain local groups where:

      • Sid ([MS-PAC] section 2.2.1) contains the value pmsgOut.ppDsNames.Sid ([MS-DRSR] section 5.50).

      • Attributes ([MS-PAC] section 2.2.1) has the A, B, C and E bits set to 1, and all other bits set to zero.

 
Show:
© 2015 Microsoft