Was this page helpful?
Your feedback about this content is important. Let us know what you think.
Additional feedback?
1500 characters remaining
Export (0) Print

If ClaimsCompIdFASTSupport is set to:

  • 0: The KDC SHOULD NOT insert into the returned PAC a PAC_CLIENT_CLAIMS_INFO structure ([MS-PAC] section 2.11).

  • 1: If a PA-PAC-OPTIONS [167] (section 2.2.10) PA-DATA type with the Claims bit set is in the AS REQ, the KDC SHOULD behave as noted in the next step, "2 or 3". Otherwise, the KDC SHOULD NOT provide a PAC_CLIENT_CLAIMS_INFO structure ([MS-PAC] section 2.11).

  • 2 or 3: The KDC SHOULD<55>

    • Add the CLAIMS_VALID SID ([MS-DTYP] section to KERB_VALIDATION_INFO.ExtraSids.

    • Increment SidCount.

    • Add a PAC_CLIENT_CLAIMS_INFO structure as follows:

    For KILE implementations that use an Active Directory for the account database, KDCs SHOULD retrieve the claims from the local directory service instance with the same processing rules as defined in GetClaimsForPrincipal() ([MS-ADTS] section message processing. The KDC populates the returned PAC_CLIENT_CLAIMS_INFO structure fields as follows:

    • The Claims field SHOULD be set to the ClaimsBlob.

© 2015 Microsoft