Was this page helpful?
Your feedback about this content is important. Let us know what you think.
Additional feedback?
1500 characters remaining
Export (0) Print
Expand All

3.2.5.7 TGS Exchange

When the server name is not Krbtgt, the client SHOULD send an authorization data field ([RFC4120] section 5.2.6) with ad-type KERB-LOCAL (142) and ad-data containing KERB-LOCAL structure (section 2.2.4) in an AD-IF-RELEVANT element ([RFC4120] section 5.2.6.1) in the enc-authorization-data field ([RFC4120] section 5.2.6).<32>

The Kerberos client SHOULD add a PA-PAC-OPTIONS [167] (section 2.2.10) PA-DATA type with the Branch Aware bit set to the TGS REQ. If a server principal unknown with a substatus of NTSTATUS STATUS_NO_SECRETS message ([MS-ERREF] section 2.3.1) is returned, the client SHOULD send an AS-REQ adding a PA-PAC-OPTIONS [167] (section 2.2.10) PA-DATA type, with the Forward to Full DC bit set, to a full DC, and then send a new TGS_REQ using this TGT to the full DC.

If EnableCBACandArmor is TRUE, the Kerberos client SHOULD add a PA-PAC-OPTIONS [167] (section 2.2.10) PA-DATA type with the Claims bit set in the TGS REQ to notify the KDC that the client is claims aware.<33>

If EnableCBACandArmor is TRUE, the Kerberos client SHOULD use FAST [RFC6113] when the realm supports FAST (section 3.2.5.4).<34>

If EnableCBACandArmor is TRUE and the application server's realm TGT's PA-SUPPORTED-ENCTYPES Compound Identity bit is set, the Kerberos client SHOULD send a compound identity TGS-REQ by using FAST with explicit armoring, using the computer's TGT.<35>

Show:
© 2015 Microsoft