188.8.131.52.4 Compound Identity
If a compound identity TGS-REQ (FAST TGS-REQ explicitly armored with the computer's ticket-granting ticket (TGT)) is received and a Compound-Identity-supported bit is set in the application server's service account’s KerbSupportedEncryptionTypes, the KDC SHOULD add to the privilege attribute certificate (PAC) a PAC_DEVICE_INFO structure ([MS-PAC] section 2.12) and PAC_DEVICE_CLAIMS_INFO structure ([MS-PAC] section 2.13) with the group membership and claims for the computer.<66>
The armor key for an explicitly armored TGT is generated as follows:
explicit_armor_key = KRB-FX-CF2(armor_subkey, ticket_session_key, "subkeyarmor", "ticketarmor" )
armor_key = KRB-FX-CF2( explicit_armor_key, subkey, " explicitarmor", " tgsarmor" )
The KDC SHOULD populate the following PAC_DEVICE_INFO structure ([MS-PAC] section 2.12) fields by using the following fields from the KERB_VALIDATION_INFO structure from the computer’s TGT:
UserID: from the UserID field
PrimaryGroupId: from the PrimaryGroupId field
AccountDomainId: from the LogonDomainId field
AccountGroupCount: from the GroupCount field
AccountGroupIds: from the GroupIds field.
The non-account domain fields MUST be initialized as follows:
SidCount field set to zero
ExtraSids field is NULL
DomainCount field set to zero
DomainGroup field is NULL
The KDC MUST call IDL_DRSGetMemberships ([MS-DRSR] section 4.1.8) to obtain the Domain Local Group Membership as described in section 184.108.40.206.3 using the computer TGT. If ExtraSids.Sid in the Domain Local Group Membership (section 220.127.116.11.3) is the only SID from a domain, then ExtraSids SHOULD be used:
Add one to the SidCount field.
The ExtraSids field SHOULD be populated with the value of the ExtraSids field in the Domain Local Group Membership (section 18.104.22.168.3), using the computer principal.
For the rest of the ExtraSids.Sid, DomainGroup SHOULD be used:
The DomainCount field contains the number of domains with DomainGroup populated.
The DomainGroup field SHOULD be populated for each domain where:
The DomainId field contains the SID for the domain.
The GroupCount field contains the number of groups in GroupIds field.
For each ExtraSids.Sid in the DomainId domain, the GroupIds field SHOULD be populated with the value of the ResourceGroupIds field in the Domain Local Group Membership (section 22.214.171.124.3) using the computer principal.
The KDC SHOULD populate the following PAC_DEVICE_CLAIMS_INFO structure ([MS-PAC] section 2.13) fields using the following fields from the PAC_CLIENT_CLAIMS_INFO structure from the computer's TGT:
Claims: Claims field.