3.3.5.1 Request Flag Ticket-issuing Behavior

  • Article

Kerberos V5 specifies Kerberos ticket-issuing behavior defined by the kdc-options ([RFC4120] section 5.4.1) that are passed to the KDC during the AS or TGS exchange.

Kerberos V5 specifies Kerberos TicketFlags ([RFC4120] Section 5.3) that can be set by the KDC on tickets.

KILE KDCs use the following account variables to enforce TicketFlags:

  • If DelegationNotAllowed is set to TRUE on the principal (or if domainControllerFunctionality returns a value >= 6 ([MS-ADTS] section 3.1.1.3.2.25) and the principal is a member of PROTECTED_USERS ([MS-DTYP] section 2.4.2.4)), the KILE KDC MUST NOT set the PROXIABLE or FORWARDABLE ticket flags ([RFC4120] sections 2.5 and 2.6).

  • If TrustedForDelegation is set to TRUE on the principal, the KILE KDC MUST set the OK-AS-DELEGATE ticket flag ([RFC4120] section 2.8).

If ClaimsCompIdFASTSupport is set to:

  • 0: The KDC responds as if it does not process FAST.

  • 1, and a KDC_ERR_PREAUTH_REQUIRED is returned in the KRB_ERROR: The KDC SHOULD NOT return PA-FX-FAST [136] in the KRB_ERROR.

  • 1, 2, or 3 and an armored AS-REQ is received: The KDC processes per FAST ([RFC6113]).

  • 1 or 2, and an unarmored AS-REQ is received: The KDC continues without FAST.

  • 3, and an AS-REQ is received: If the principal is a computer account, then the KDC continues without FAST. Otherwise, the KDC returns KDC_ERR_PREAUTH_REQUIRED and return PA-FX-FAST [136] ([RFC6113] section 5.4.2).<45>