6 Appendix A: Product Behavior
The information in this specification is applicable to the following Microsoft products or supplemental software. References to product versions include released service packs.
Windows NT operating system
Windows 2000 operating system
Windows XP operating system
Windows Server 2003 operating system
Windows Vista operating system
Windows Server 2008 operating system
Windows 7 operating system
Windows Server 2008 R2 operating system
Windows 8 operating system
Windows Server 2012 operating system
Windows 8.1 operating system
Windows Server 2012 R2 operating system
Windows 10 operating system
Windows Server 2016 operating system
Exceptions, if any, are noted below. If a service pack or Quick Fix Engineering (QFE) number appears with the product version, behavior changed in that service pack or QFE. The new behavior also applies to subsequent service packs of the product unless otherwise specified. If a product edition appears with the product version, behavior is different in that product edition.
Unless otherwise specified, any statement of optional behavior in this specification that is prescribed using the terms SHOULD or SHOULD NOT implies product behavior in accordance with the SHOULD or SHOULD NOT prescription. Unless otherwise specified, the term MAY implies that the product does not follow the prescription.
<1> Section 1.5: Except for Windows NT, which predates Active Directory, Windows uses Active Directory as the database for the authorization. Active Directory uses the distinguished name (DN) of the security principal object and the userPrincipalName and altSecurityIdentities attributes on the security principal objects for establishing the relationship between the certificates and the authorization information, as specified in [MS-ADTS].
<2> Section 3.5.2: Except for Windows NT, Windows domain controllers extract the issuer DN and the subject DN from the X.509 certificate, and constructs the following string: "<I>[value of issuer]<S>[value of the subject DN]". The resulting string is evaluated against the altSecurityIdentities attribute of all user and machine account objects, and the scope of this evaluation is the entire forest. The altSecurityIdentities attribute is a multiple-value attribute.
<3> Section 3.5.2: The Windows 2000 domain controller and all subsequent versions of Windows domain controllers, according to the applicability list at the beginning of this section, extract the issuer DN from the X.509 certificate, and constructs the following string: "<I>[value of issuer]". The resulting string is evaluated against the altSecurityIdentities attribute of all user and machine account objects, and the scope of this evaluation is the entire forest. Note that the altSecurityIdentities attribute is a multiple-value attribute.